Last week, California passed expansive new legislation to regulate the collection, purchase, sale, and processing of personal information of California residents. The California Consumer Privacy Act of 2018 (CPA), effective January 1, 2020, is the first U.S. law to address these issues. Companies that do business with California residents or operate a website that is accessed by California residents will now face another layer of regulatory oversight and potential liability. These companies are still reeling from the European General Data Protection Regulation (GDPR).
The new legislation provides statutory damage penalties on a per-consumer basis for breaches enabled by a failure to implement reasonable security procedures and practices, with higher penalties for intentional violations. The California Attorney General can enforce the CPA, and the CPA also provides a private right of action for consumers in certain circumstances.
Who is Covered? Any for-profit legal entity with annual gross revenues in excess of $25 million (or that derives 50% or more of its revenues from selling consumer data), and that also receives for commercial purposes, buys, sells (including disclosure for monetary or other valuable consideration), or shares for commercial purposes, the “personal information of 50,000 or more consumers, households, or devices” will be subject to the new law. Although by its terms the CPA covers only entities that do business in California, the State’s historically broad interpretation of the geographic reach of its regulation makes it likely that the Act will be applied as well to companies whose only contacts with the State are corporate websites accessed by California residents.
Only if every aspect of the company’s commercial conduct takes place outside of California can the entity be certain it is not subject to the law. In addition, the CPA does not apply to information governed by the Health Insurance Portability and Accountability Act (HIPPA) and information purchased or sold to a consumer reporting agency for use in generating a consumer report governed by the Fair Credit Reporting Act.
What Information is Covered? The CPA defines “personal information” very broadly, more broadly perhaps than other statutes and regulations. It includes all types of personally identifiable information, not only names and social security numbers, but also any unique personal identifier; physical, email, and IP addresses; driver’s license and passport numbers; commercial information such as records of personal property, products or services purchased or considered, consumer histories and tendencies; geolocation data; biometric information; internet or electronic network activity or history; professional and employment-related data; and educational information. Information that is “publicly available” – for instance, in publicly accessible governmental records – is not covered, however.
What Does the CPA Require? The CPA requires covered entities to notify consumers, prior to collecting their data, of the categories of personal information to be collected and the purposes for the collection, as well as the consumers’ right under the Act to have their data deleted.
Consumers are also awarded the right, twice per year, to request details about the collection of their personal information. The entity must respond within 45 days of each such request. Consumers are entitled to know:
- the categories of personal information about them that were collected;
- the categories of sources from which their data was collected;
- the business or commercial purpose for collecting or selling the data and the categories of data involved for each such purpose;
- the categories of third parties with whom the data was shared (with breakdowns for each specific categories of personal information shared with each category of third party involved); and
- the specific personal information the entity has collected on the consumer.
The CPA also requires opt-in consent to sell personal information of an individual the business actually knows to be younger than 16 years of age.
Finally, the CPA prohibits retailers from treating consumers who opt out of sharing their data any differently from those who don’t opt out. That prohibition could mean the end of customer loyalty programs, where the retailer offers discounts to those who sign up for such programs.
What to Do Now Covered companies that have just amended their privacy policies to conform to the GDPR may have to revisit those policies in light of the CPA. Many businesses across the United States are already criticizing the CPA. Since the California legislature enacted the CPA quickly to forestall voter approval of proposed more-restrictive legislation in November, some commentators expect the California legislature to enact corrective legislation before the CPA becomes effective. Proponents of the CPA are adamant that they will not allow any such “cleanup bills” to dilute the new protections provided to consumers in the legislation.