Just when you thought it was safe to collect personal information again …. The California legislature acted!
Even if your business is not subject to the GDPR because it does not collect personal information from EU residents whether by design (blocking EU IP addresses) or happenstance, the new legislation is likely to be important. If your business conducts or intends to conduct operations on a national level within the US and in so doing collects information from consumers, you need to pay attention. A high level description is contained here.
We will have more to say about the legislation in the future as commentary and regulatory guidance emerge. In its haste to meet a deadline, the legislation was enacted with identified problems so it is expected to be amended before effectiveness. For now, let it suffice to say that it is intended to give consumers much more notice of and control over the use of their personal information, particularly with respect to its sharing with third parties, whether they are data brokers or marketing partners.
As under GDPR, the definition of “personal information” is broadly expanded to include what was previously considered in the United States as non-identifying, such as an Internet Protocol address. The requirement to obtain affirmative consent (opt-in) and the right of a person to demand deletion of information are some of the concepts from GDPR that California included in its privacy law. Additionally, it appears that a data breach can occur under the law if just one item of personal information is compromised which is a significant departure from the “name in combination with…” formula that has been the norm thus far for data breach statutes.
The legislation will not take effect until January 1, 2020, but significant lead time will be required for compliance. Among other things:
- Existing privacy policies will have to be substantially revised by that date;
- In the interest of efficiency, we strongly recommend that the new requirements be given immediate effect for new policies and significant revisions to existing ones;
- The data mapping exercises which are required for GDPR compliance are also necessary in some form here, especially in light of the increased scope of “personal information”; and
- Data processing agreements with vendors entrusted with personal information are also a key part of a compliance strategy.
- For some small and mid-sized businesses, consideration should be given to the applicability of the de minimus exceptions.
While not directly pertinent to a compliance strategy, it is worth noting that while the mechanics and scope of enforcement of the GDPR are still taking shape, we anticipate that there will be fewer such issues or related questions with the California legislation. Judgements based upon violations will be readily enforceable in US courts.
For all companies which are potentially impacted by this legislation – everyone dealing with consumers and having operations not confined to one locale – we suggest prompt discussion with your FisherBroyles lead and our privacy partners to determine what action is best for you.