Many online American companies are jumping through hoops making sure their website and practices comply with the GDPR. The GDPR is perhaps the strictest privacy regulation in the world. California has just rolled out its own privacy law hurdle for businesses. The California Consumer Privacy Act of 2018. The Act is not as all-encompassing as the GDPR, but will still prove challenging for many companies. The California Legislature will likely amend the Act multiple times as the law was a rush job. The bill has bizarre origins. Here’s what you need to know as of now.
What Is The California Consumer Privacy Act?
Governor Brown signed the Act into law in June of 2018. Lawmakers rushed the bill through the legislative process in seven days to stop a similar measure scheduled for the November ballot. Chaos would’ve occurred if voters passed the ballot initiative because the proposed law had a host of defects. It violated several federal laws. It also conflicted with California laws already in place. In short, the initiative was a bit of a mess. The CCPA remains so today.
In a nutshell, the law guarantees California residents several privacy rights, including the right to:
- Know what information a business collects about them, where it came from, and whether (and to whom) the company is selling or sharing the data;
- Have most of their personal information deleted upon request;
- Tell businesses not to share or sell their personal information; and
- To be treated equally by the company, whether they allow collection or sharing of their data or not.
“California residents” are defined as individuals who are subject to the state’s tax laws because of their place of residence.
Timing of the Act
The California Consumer Privacy Act takes effect on January 1, 2020. However, there are currently provisions which allow officials to “look back” at whether companies complied with some requirements of the Act during the 2019 calendar year – and enforce them retroactively in 2020. The law is still being “tinkered with,” though, so that may change. The best advice is to consult with an Internet attorney as soon as possible, to establish a timeframe for any website changes which may be necessary.
Who Is Impacted by the Act?
The California Consumer Privacy Act regulates for-profit companies that collect personal information from natural residents of California. That includes operating a website that collects data from visitors, even if the visitors don’t make a purchase.
Some businesses are exempt. The Act sets three thresholds. Violate just one, and you must comply:
- Gross annual revenues of $25 million or more.
- Collection, purchase, sale, or sharing of personal information of more than 50,000 consumers per year.
- Earns more than 50% of annual income from the sale of consumers’ personal information.
Those thresholds can be trickier than they first appear. For example, a small California company that grosses just $100,000, but earns most of its money from “selling leads” to other firms, would be required to comply with the act. Don’t assume that you’re safe just because you’re a small business.
Experts estimate about half-a-million American companies will be required to comply with the provisions of the Act, and California officials are promising to enforce it vigorously.
What “Personal Information” Means
The Act applies to the personal information of California residents. “Personal information” is defined as much more than just a consumer’s name, address, email, and phone number. The Act defines the phrase to include unique information that can identify a consumer or their computer or device such as IPs, geolocation data, customer profile, or surfing history inferred from other personal information. The law even regulates seemingly-meaningless data, such as household energy consumption.
One important question which is still up in the air involves the use of website tracking cookies and mobile advertising IDs. The Act theoretically regulates them. However, there’s an exemption for originally-personal information which is either aggregated or “anonymized.” How California authorities will deal with this topic is still unknown. Companies are waiting for the Attorney General to issue regulations on the topic with great anticipation.
What’s Required by the Act
That Internet attorney we just mentioned will be one of your two best friends when figuring out how your business can comply with the California Consumer Privacy Act. Your website designer will be the other. The general requirements may sound reasonable, but implementation can be complicated. Here are the skeleton compliance steps:
- Companies that sell personal information to third parties, in addition to disclosing that fact, must have an opt-out link on their homepage labeled “Do Not Sell My Personal Information.” (Needless to say, they must also honor all opt-out requests.) There’s one more aspect to the opt-in regulation. Companies can’t sell the personal information of consumers between the ages of 13-15 without an affirmative opt-in in advance. For those younger than 13, their parents must affirmatively opt in for them.
- Companies must also offer two or more ways for consumers to request the information that the Act entitles them to receive. The CCPA authorizes a toll-free phone number and a contact method on a website as the acceptable forms.
A. Consumer Access
The Act entitles consumers to the following data:
- Details of the information the company collects on them,
- How the company collects the data, and
- Who the company shares the data with online or off.
The company must deliver the data to the consumer within 45 days.
What concrete steps should a company take to comply with the CCPA? We’ll look at that next.
Actions a Company Should Take
Of necessity, this is not an all-inclusive list of what a company needs to do to ensure their website or Internet operations comply with the California Consumer Privacy Act. However, they’re reasonable first steps and an excellent starting point for a discussion with your attorney and web developer.
- Map out how you collect information, and ensure systems are in place so that you can block all personal data from collection and eliminate it from deliveries to a third party, depending on user opt-outs.
- Construct systems which allow easy retrieval of personal information from the system, so you can deliver it in a timely fashion. Hire or assign any necessary employees for the task.
- Implement a website age-verification system so you can direct visitors under the age of 16 to the proper forms for opt-in or parental opt-in.
- Modify the website to include the required homepage “Do Not Sell My Personal Information” link which leads to a proper, working opt-out form.
- If you are planning to segregate California users from the overall population, ensure that proper measures are in place for that purpose. If you’ve decided to use separate websites or apps for California and non-California visitors, you must test the functionality.
- Build a working contact form and, if necessary, obtain a toll-free phone number for users to use when requesting their personal information.
Sitting down with legal counsel and developing a plan of action is the critical step in complying with the Act.
Possible Penalties for Violating the Act
Still not sure if you need to worry about this new law? You may feel differently after considering the potential damage claims. Penalties are up to $7500 per incident for intentional violations of any part of the Act. If you can prove the violation was unintentional, the court can only award up to $2500 per California resident impacted by your violation.
Naturally, “per incident” fees can pile up quickly if your website, systems or responses aren’t up to par.
There’s one more potential penalty for not appropriately protecting personal information. A company suffering a data breach is liable for damages of $100-$750 per California resident whose information hackers access. The damages can add up quickly, which is just one more incentive for companies to act now.
Is GDPR Compliance Enough?
A company that has just gone through a rigorous exercise to prepare for implementation of the GDPR may feel confident that if its systems are good enough for the European Union, they’re good enough for California. That’s not necessarily the case.
First of all, the Act defines personal information differently than the GDPR does. The act also contains requirements and regulations dealing with website disclosures, methods of requesting personal data, and the data that differ.
Also, restrictions on sharing or selling data to third parties are stricter in the Act than they are in the GDPR, and the California Act gives companies a much narrower option to charge different prices or offer various services based on opting-in to data collection.
The bottom line: most companies will have to take additional steps to adhere to the requirements of the California Consumer Protection Act, even if they’ve already complied with the GDPR. It’s best to start evaluating compliance with the Act and making any necessary changes sooner rather than later.
A privacy revolution. Who would’ve guessed?
Richard A. Chapo, Esq.