Starting on January 1, 2020, fashion and retail companies from around the world will need to comply with the strongest online privacy law in the United States, the California Consumer Privacy Act of 2018.
This new law will apply to any business with at least $25 million in annual revenue, any business that handles information from more than 50,000 individuals, or any business that derives more than 50 percent of its annual revenue from selling consumer personal information. Critically, most of the privacy rights discussed herein will not apply to those businesses that collect personal information for a single one-time transaction, so long as the business refrains from selling or otherwise using such information to re-identify consumers.
Several changes to the law are anticipated between now and January 1, 2020, as industry groups are currently lobbying to further dilute the bill. However barring any major changes, these are the Top 5 operational impacts that are likely to affect the fashion and retail industry once the new law arrives.
#1 – Companies must give their consumers the ability to “opt-out” of sharing personal data
Retail and fashion clients will be required to disclose to consumers if their company has a practice of selling consumer data to third parties. If so, companies will be required to display a “Do Not Sell My Personal Information” link on their website, which will provide consumers the ability to opt-out of the sale of their data.
Once a consumer selects to opt-out, businesses will be barred from asking consumers to change their preference for at least 12 months. Importantly, the current text of the law uses the term “consumer” instead of “customer,” meaning that CaCPA will likely apply to any California resident, regardless of whether that individual has ever purchased an item from a retailer.
#2 Companies must be able to provide consumers with access to the information about them
Consumers have long desired greater transparency in businesses’ privacy practices. Under CaCPA, California residents will now have the right to request specific information about how their personal data is processed, for what purposes it is processed, and with whom it is shared.
To satisfy this requirement, retailers and e-commerce providers will need to construct the ability to verify a consumers’ identity, and respond to an access request as promptly as possible. Although companies will have some discretion with how they implement these requirements, the law does contain several guideposts:
- Responses must be free of charge;
- Responses must be delivered within 45 days of receiving a verifiable request;
- The response must apply to the 12-month period preceding the access request;
- The response must be provided in writing, in a “readily usable format” that allows the consumer to transmit the information from one entity to another “without hindrance;” and
- The response must be delivered through the consumer’s account, by mail, or electronically, all at the consumer’s option.
#3 Companies must honor consumer requests to delete their data
CaCPA grants consumers the right to request a company to delete their personal information. Under the current version of the law, businesses are required to satisfy these requests within 45 days of receiving such a request. Importantly, the law also requires businesses to direct any of its service providers to do the same if they possess that consumer’s personal information as well.
Similar to other privacy laws, CaCPA contains several robust exceptions to this deletion requirement. However these exceptions are generally broader than those in other privacy laws, including the European Union’s General Data Protection Regulation aka (“GDPR”). Therefore, companies will need to keep track of the differences between these two regimes, and ensure that deletion exceptions arising under CaCPA are not misapplied to the information of EU residents.
Under CaCPA, businesses are not required to delete information “if it is necessary” to:
- Complete the transaction for which the individual’s data was collected;
- Provide a good or service the consumer has requested;
- Perform a contract between the business and the consumer;
- Detect security incidents;
- Protect against “malicious, deceptive, fraudulent, or illegal” activities;
- Prosecute people responsible for “malicious, deceptive, fraudulent, or illegal” activities; and
- Ensure the company’s exercise of “another right provided for by law.”
#4 Privacy notices will need to be updated
Given that CaCPA places such a premium on transparency, it’s unsurprising that the law will also require companies to update their privacy notices in order to inform California residents of their new rights under the law. Therefore, it is imperative that retail and fashion companies who either collect or sell personal information of California residents update their privacy notices before the January 1, 2020 deadline. As the deadline approaches, businesses are advised to meet with their internal stakeholders to update their privacy notices as needed. The authors of this client alert are available to guide businesses in revising these notices.
#5 – Companies can only sell the personal information of minors if they “opt-in”
Related to the requirement above, CaCPA further restricts businesses from selling the personal information of consumers less than 16 years of age, unless the minor has provided their affirmative consent. In other words, companies can only sell the personal information of a consumer younger than 16 years of age if they have “opted-in,” and agreed to the sale of their personal information. For consumers 13 years or younger, this opt-in consent must be provided by a parent or guardian.
California Governor Jerry Brown rushed to sign CaCPA on June 28 of this year in order to avoid a stricter ballot initiative from being sent to individual voters at the polls this November. Since the bill will not go into effect until January 1, 2020, we can expect several “clean-up” bills to be passed over the next 15 months.
Indeed, as recently as August 31, 2018 both chambers of the California legislature passed an amendment to CaCPA limiting the private right of action established under the law to actual data breaches. The amendment, among other changes, further clarified that any obligations imposed on businesses by CaCPA should not be construed to infringe on a businesses’ own speech rights or the free speech rights of another consumer. Governor Brown has until September 30, 2018 to sign or veto the bill, otherwise the amendment will become law without being signed.
In the interim, we can also expect the California Attorney General to continue working with commercial groups and consumer advocates to develop industry-based guidance in the year ahead. However, these groups will need to rapidly organize their efforts, as any changes to the law will need to have been incorporated prior to the January 1, 2020 enforcement deadline.