Many online American companies are jumping through hoops making sure their website and practices comply with the new European General Data Protection Regulation. The GDPR is perhaps the strictest privacy regulation in the world.
California has just rolled out a new hurdle for businesses to clear. The California Consumer Privacy Act of 2018 It’s not as all-encompassing as the GDPR, but will still prove challenging for many companies.
When considering the new law, it is critical to understand the California Legislature will likely amend the code multiple times. The bill has very strange origins.
Here’s what you need to know as of now.
Governor Brown signed the Act into law in June of 2018. Lawmakers rushed the bill through the legislative process in seven days. The reason for the rush was to stop a similar measure scheduled to be on the November ballot. Chaos would’ve occurred if the ballot initiative passed as it would’ve conflicted with other laws.
In a nutshell, the law guarantees California residents several privacy rights including the right to:
- Know what information a business collects about them, where it came from, and whether (and to whom) the data is being sold or shared
- Have most of their personal information deleted upon request
- Tell businesses not to share or sell their personal information
- To be treated equally by the company, whether they allow collection or sharing of their data or not
“California residents” are defined as individuals who are subject to the state’s tax laws because of their place of residence.
Timing of the Act
The California Consumer Privacy Act takes effect on January 1, 2020. However, there are currently provisions which allow officials to “look back” at whether companies complied with some provisions of the Act during the 2019 calendar year – and enforce them retroactively in 2020. The law is still being “tinkered with,” though, so that may change. The best advice is to consult with an Internet attorney as soon as possible, to establish a timeframe for any website changes which may be necessary.
Who Is Impacted by the Act?
The California Consumer Privacy Act regulates for-profit companies that collect personal information from natural residents of California. That includes operating a website that collects data from visitors, even if the visitors don’t make a purchase.
Some businesses are exempt. There are three thresholds set by the Act. Violate just one, and you must comply:
• Gross annual revenues of $25 million or more
• Collection, purchase, sale or sharing of personal information of more than 50,000 consumers per year
• Earns more than 50% of annual income from the sale of consumers’ personal information
Those thresholds can be trickier than they first appear. For example, a small California company that grosses just $100,000, but earns most of its money from “selling leads” to other firms, would be required to comply with the act. Don’t assume that you’re safe just because you’re a small business.
Experts estimate about half-a-million American companies will be required to comply with the provisions of the Act, and California officials are promising to enforce it vigorously.
What “Personal Information” Means
In this digital age, the “personal information” that the Act protects is much more than just a consumer’s name, address, email, phone number, billing details, and social security number. It also includes unique information that can identify a consumer or their computer or device, such as IPs, geolocation data, customer profile or surfing history inferred from other personal information. It can even regulate seemingly-meaningless data, such as household energy consumption.
One important question which is still up in the air involves the use of website tracking cookies and mobile advertising IDs. The Act theoretically regulates them, but there’s an exemption for originally-personal information which is either aggregated or “anonymized” so it can’t be used to identify an individual. The exact way that California authorities will deal with this issue is still unknown, and many online advertising firms and their lawyers are still wrestling with the problem.
Answers on that question, and details on other exemptions which exclude things like “publicly available information,” are best provided by an Internet attorney. However, it is expected to be months before we have black and white answers on these issues.
What’s Required by the Act
That Internet attorney we just mentioned will be one of your two best friends when figuring out how your business can comply with the California Consumer Privacy Act; your website designer will be the other. The general requirement of the Act may sound reasonable, but their implementation can be complicated.
For those who want to have a go at DIY compliance or those who wish to familiarize themselves with what they may need to do, here are the skeleton compliance steps.
- Companies that sell personal information to third parties, in addition to disclosing that fact, must have an opt-out link on their homepage labeled “Do Not Sell My Personal Information.” (Needless to say, they must also honor all opt-out requests.) There’s one more aspect to the opt-in regulation. Companies can’t sell the personal information of consumers between the ages of 13-15 without an affirmative opt-in in advance. For those younger than 13, their parents must affirmatively opt in for them.
- Companies must also offer two or more ways for consumers to request the information that the Act entitles them to receive – and two are specifically required, a toll-free phone number and a contact method on a website.
Among the data that consumers are entitled to: details of the information the company has collected on them, how it was collected, and who it was shared with. This information must all be delivered to the requesting consumer within 45 days, for free.
What concrete steps should be taken to comply with these requirements? We’ll look at that next.
Actions a Company Should Take
Of necessity, this is not an all-inclusive list of what a company needs to do to ensure their website or Internet operations comply with the California Consumer Privacy Act. However, they’re reasonable first steps and an excellent starting point for a discussion with your attorney and web developer.
- Map out your current flow of collected information, and ensure systems are in place so that all personal data can be blocked from collection and eliminated from deliveries to a third party, depending on user opt-outs.
- Construct systems which allow easy retrieval of personal information from the system, so that it can be delivered in a timely fashion to users requesting it under provisions of the Act. Hire or assign any necessary employees for the task.
- Implement a website age-verification system so you can direct visitors under the age of 16 to the proper forms for opt-in or parental opt-in.
- Modify the website to include the required homepage “Do Not Sell My Personal Information” link which leads to a proper, working opt-out form.
- If you are planning to segregate California users from the overall population, ensure that proper measures are in place for that purpose. If you’ve decided to use separate websites or apps for California and non-California visitors, you must test the functionality.
- Build a working contact form and, if necessary, obtain a toll-free phone number for users to use when requesting their personal information.
Sitting down with legal counsel and developing a plan of action is the critical step in complying with the Act.
Possible Penalties for Violating the Act
Anyone who hasn’t yet been convinced to take California’s action seriously may feel differently after learning about the penalties associated with the Act. Penalties are up to $7500 per incident for intentional violations of any part of the Act and $2500 per event for unintentional violations if you do not fix the problems within one month.
Naturally, “per incident” fees can pile up quickly if your website, systems or responses aren’t up to par.
There’s one more potential penalty for not appropriately protecting personal information. A company suffering a data breach is liable for damages of $100-$750 paid to every California resident whose information is exposed or actual damages if they turn out to be higher. Those can add up quickly as well and are just one more incentive to be prepared ahead of time.
Is GDPR Compliance Enough?
A company that has just gone through a rigorous exercise to prepare for implementation of the GDPR may feel confident that if its systems are good enough for the European Union, they’re good enough for California. That’s not necessarily the case.
First of all, the Act defines personal information differently than the GDPR does. The act also contains requirements and regulations dealing with website disclosures, methods of requesting personal data and the data that differ.
Also, restrictions on sharing or selling data to third parties are stricter in the Act than they are in the GDPR, and the California Act gives companies a much narrower option to charge different prices or offer various services based on opting-in to data collection.
The bottom line: most companies will have to take additional steps to adhere to the requirements of the California Consumer Protection Act, even if they’ve already complied with the GDPR. It’s best to start evaluating compliance with the Act and making any necessary changes sooner rather than later.
A privacy revolution. Who would’ve guessed?
Richard A. Chapo, Esq.