Sweeping Privacy Legislation Hits the United States
June 29, 2018
If your business has customers in California, you will need to comply with the Consumer Privacy Act.
On Thursday, California enacted its state Consumer Privacy Act, the first state law that will bring “GDPR-like” privacy protections to consumers in the United States.
When the European Union’s General Data Protection Regulation took effect on May 25, 2018, many U.S. businesses may have assumed (correctly or incorrectly) that they were not subject to the law. But, as we have been advising clients, GDPR was the bellwether for a global trend toward increased protection for privacy rights of individuals. That tide of privacy protection now has reached the United States.
California’s Consumer Privacy Act provides sweeping new protections to California consumers, and so businesses that market goods or services to California residents will need to comply with the Act. The Act creates a private cause of action, so that a consumer may bring a lawsuit against a business for non-compliance under certain circumstances, including where the business suffers a data breach. California’s Attorney General may also bring civil enforcement actions against violators.
Like GDPR, the Act adopts an expansive definition of personal information encompassing any information that could identify or relates to a California consumer or household. Such “personal information” includes:
- Online or offline identifiers such as real name, alias, address, unique personal identifier, Internet Protocol address, email address, and other identifying numbers
- Signature, physical characteristics or description, education, employment, employment history, or any other financial information, medical information, or health insurance information;
- Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
- Biometric information;
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement;
- Geolocation data; and,
- Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes
Businesses are subject to the Act if the business: (a) has annual gross revenues over $25 million; or (b) annually buys, receives, sells, or shares personal information of at least 50,000 consumers, households or devices; or (c) derives 50% or more of its annual revenue from the sale of personal information. The Act applies regardless of whether the business has any physical presence in California.
When the Act’s definitions of “personal information” and “business” are considered together, it becomes clear that most businesses will be subject to the Act. If a business operates an e-commerce website or sells products to Californians, it is nearly certain that the business annually collects at least 50,000 names, email addresses, IP addresses, or purchase histories of California residents.
The Act requires businesses to post detailed online privacy policies, including information about what information the business collects, how it uses the information, and how it is shared. The Act provides California residents with a right to request disclosure of:
- What types of personal information the business has collected about that consumer;
- The sources of such personal information;
- The purpose for such collection;
- How the business has shared the consumer’s information; and,
- The specific pieces of personal information the business has collected about the consumer.
Businesses will be prohibited from collecting or using personal information in any manner that is not disclosed to the consumer. Like GDPR, the Act will require companies to review and update their existing privacy policies and notices (or create them for the first time).
Consumers also are provided with a right to deletion; upon demand, a business must delete any personal information that it has collected about a consumer (and direct its vendors and partners to do the same). Like GDPR, businesses would be permitted to retain such information if they have a valid reason to do so (such as complying with tax or legal obligations, or for a legitimate purpose that is reasonably aligned with consumer expectations). It will be important for businesses to respond promptly to deletion requests, and to amply document any reasons why data is retained after such a request.
Businesses will need to respond to these consumer requests for information or deletion within 45 days.
The Act will also have significant ramifications on selling and sharing consumer data. The law makes it illegal for a company to sell personal information, unless the consumer received explicit notice that their information might be sold and was provided with an opportunity to opt-out of such an arrangement.
To that end, businesses will be required to provide a clear and conspicuous notice on the homepage of their website, titled “Do Not Sell My Personal Information,” that links to an opt-out mechanism. The law also limits strictly the sale of personal information of consumers younger than 16 years of age.
Businesses will not be permitted to deny goods or services to a consumer who has exercised this opt-out right. Interestingly, while businesses may not charge a different price or rate to consumers who opt-out, the Act does contemplate payment of “financial incentives” including monetary payments to consumers that consent to the collection and/or sale of their personal information.
The Consumer Privacy Act will take effect on January 1, 2020. Businesses will need to prepare in advance to comply by that effective date.
McNees’s Privacy & Data Security team helps business and non-profit entities comply with state, federal, and international privacy laws.
© 2018 McNees Wallace & Nurick LLC
McNees Privacy & Data Security Alert is presented with the understanding that the publisher does not render specific legal, accounting or other professional service to the reader. Due to the rapidly changing nature of the law, information contained in this publication may become outdated. Anyone using this material must always research original sources of authority and update this information to ensure accuracy and applicability to specific legal matters. In no event will the authors, the reviewers or the publisher be liable for any damage, whether direct, indirect or consequential, claimed to result from the use of this material.