Data-privacy legislation is in vogue. Including in North Carolina.
But this post looks at the new data-privacy law in a different state, California. The law, called the California Consumer Privacy Act (or “CaCPA” to some), was a hurried response to a proposed citizen-ballot initiative (the history of which is the subject of an interesting recent piece in the New York Times Magazine).
CaCPA enacts sweeping changes to the consumer-privacy legal landscape in California—and nationally, including here. This post examines how CaCPA could affect North Carolina businesses when it goes into effect in January 2020.
What does the new California law do?
Weighing in at over 10,000 words, CaCPA is long and complicated. But distilled to its essence, the law makes two primary changes.
First, CaCPA will require businesses to disclose detailed information about their online and offline information-collection practices. The law requires businesses to disclose to consumers the personal information they collect, how and why they collect it, and the third parties to whom they disclose or sell it. And if a consumer asks, a business must also provide the “specific pieces of personal information” that the business has collected about that consumer.
Second, CaCPA gives consumers significant new rights to control how businesses use their personal information. Businesses must give consumers the ability to opt out of sales of their personal information through a toll-free telephone number and a “Do Not Sell My Personal Information” link on the business’s website.
CaCPA also confers on consumers the right to request that the business delete any personal information about them that the business holds. And, in general, a business cannot “discriminate” against a consumer for exercising these rights by charging different prices or providing a different level or quality of goods or services.
How could CaCPA apply to a North Carolina business?
CaCPA’s requirements apply to any business that collects personal information from California residents, “does business in California,” and satisfies any one of these three criteria:
- has annual gross revenues over $25 million;
- annually buys, receives, sells, or shares personal information of 50,000 or more consumers, households, or devices in California; or
- derives 50% or more of the business’s annual revenue from the sale of California residents’ personal information.
At first blush, North Carolina businesses that have no physical presence in California might think they’re safely outside CaCPA’s reach. But a closer look reveals various ways that these businesses could end up subject to CaCPA’s requirements.
First, although CaCPA does not define “doing business” in California, that term is likely to be interpreted broadly. Another California statute defines it as “actively engaging in any transaction for the purpose of financial or pecuniary gain.” Thus, for example, a North Carolina business that uses a website to sell products or service to California residents will be covered, if it meets any of the other three criteria.
Second, assuming it “does business in California,” any North Carolina business that operates a generally accessible website may find it hard to avoid annually “receiving” the personal information of 50,000 or more California consumers, households, or devices.
That’s because CaCPA’s definition of “personal information” extends to identifiers commonly collected by websites, including Internet Protocol Addresses, and “information regarding a consumer’s interaction with an Internet Web Site, application, or advertisement.”
Third, the statute extends to parent companies and subsidiaries that “share common branding” with a business that is subject to the law. Thus, any North Carolina business that shares a common name, service mark, or trademark with an affiliate that falls within the statute will be subject to its requirements when interacting with California residents.
The law does include one key scope limitation: the collection and sale of personal information where “every aspect of that commercial conduct takes place wholly outside of California” are expressly excluded from the statute’s requirements. That exclusion would cover transactions between a North Carolina business and a California resident that take place outside California, as long as no part of any later sale of the information takes place in California.
What legal exposure does CaCPA create?
CaCPA empowers the California Attorney General to impose major civil penalties for violations of its requirements: $2,500 “per violation,” which can be increased to $7,500 if the violation is intentional. And we can expect the Attorney General to treat each consumer affected by a business’s failure to comply with CaCPA’s requirements as a separate and distinct “violation.”
CaCPA also gives consumers a limited private right of action when certain sensitive categories of personal information are compromised in a data breach because of the business’s failure to implement and maintain reasonable security procedures. In a boon to plaintiffs’ class action lawyers, those consumers can recover statutory damages between $100 and $750 “per incident.”
The California business community has already launched an effort to “clean up” some aspects of CaCPA. They’ve sent a letter to the sponsor of the original bill seeking to amend the law to correct drafting errors and fix aspects of the law that would be “unworkable” and lead to negative consequences “unintended by the authors.”
This and other efforts might result in some changes to CaCPA’s operational requirements before the law goes into effect in 2020. But it seems unlikely that they’ll result in any significant changes to the law’s core requirements.
Meanwhile, any North Carolina business that directs activity toward Californians should begin to evaluate whether and how it might be subject to the law. If it falls within CaCPA’s reach, the business would do well to start evaluating how to comply sooner rather than later. 2020 will be here before we know it.