Compliance Deadline for California’s New Privacy Act Coming Up Fast; Are You Ready?

The deadline for business to implement compliance with the California Consumer Privacy Act is just around the corner and chances are most businesses are not ready.

On June 28, 2018, Governor Brown signed into law the California Consumer Privacy Act of 2018.  The Act applies to any business which does business in California, and i) has annual gross revenues in excess of $25 million; ii) buys, receives, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices; or iii) earns more than half of its annual revenue from selling consumers’ personal information.

The purpose of the Act is to provide California residents with significant new rights related to their personal information.  The Act provides:

  1. That California residents have the right to know the type of personal information being collected about them, to know whether such information is being sold or disclosed to any third parties and the identification of such third parties;
  2. That California residents have the right to prohibit the sale of their personal information;
  3. That California residents have the right to access their personal information and may request a business delete any or all of their personal information; and
  4. That California residents may not be discriminated against for exercising these rights.

The Act defines “personal information” broadly to include any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.  Examples of personal information include identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license or state identification number and a passport number.  Personal information also includes an insurance policy number, employment history, a bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Characteristics of protected classifications under California or federal law (e.g., race, religion, age, etc.) are considered personal information as is biometric information.  Additionally, commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies; internet or other electronic network activity information, including, browsing history, search history, and information regarding a consumer’s interaction with an Internet Website, application, or advertisement; geolocation data; audio, electronic, visual, thermal, olfactory, or similar information is considered personal information under the Act, as is any inferences drawn from any of the above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.  Personal information does not include information that is publicly available or “aggregate consumer information,” which is data that is “not linked or reasonably linkable to any consumer or household.”

The Act does not delineate personal information based on the means of collection or the consumer’s relationship with the business.  Accordingly, the Act applies to personal information collected in both digital and non-digital means, and covers not only business customers but employees, contractors, vendors, etc.

If a business collects personal information, the business must, at or before the point of collection of the personal information, provide two methods, one of which must be a toll-free number and a website address (if the company maintains a website), for consumers to submit requests to be provided with a wide variety of information, including the categories of personal information the business has collected about that consumer, the business propose for collecting such information and the third parties with whom the business shares such personal information. Such requests must be responded to, generally, within 45 days.

For any business that sells personal information, the Act requires that it create a link on its internet homepage and privacy policy to a page entitled “Do Not Sell My Personal Information” that permits a consumer to exercise their right not to have their personal information sold. Additionally, the Act requires that businesses inform consumers of their right to have their personal information deleted.

Existing online privacy policies should also be revised (or business should consider creating a separate privacy policy for California residents) for compliance with the CCPA.  A revised privacy policy should disclose the California consumer’s right to request information about the collection and use of personal information.  The revised privacy policy must also list the categories of personal information (as enumerated in the Act) the business has collected from California consumers in the last 12 months, the categories of sources of such information, the business purpose for collecting such information, the categories of third parties with whom the business shares such personal information, and the categories of personal information the business has sold in the last 12 months. If a company provides a financial incentive for providing personal information, this must be disclosed in the privacy policy.

Compliance with the Act will be enforced by the Attorney General of California through substantial civil penalties. The Act also provides remedies where a California consumer’s personal information is accessed or disclosed due to a data security breach where such breach is due to the failure to “implement and maintain reasonable security procedures.”  The Act provides for statutory damages and allows such claims to be made on a class-wide basis.

Merely updating an online privacy policy will not guarantee compliance with the CCPA.  A business will need to create internal processes for responding to consumer requests, be mindful of monetization restrictions, and ensure CCPA compliance (and obtain indemnification) from vendors that process personal information on its behalf.