Many U.S. businesses with an online presence have been jumping through hoops over the last year, making sure their website and practices comply with the new European GDPR – the General Data Protection Regulation which sets stringent rules for the way websites collect, process and use personal information.
Now, California has just rolled out a new hurdle for businesses to clear: the California Consumer Privacy Act of 2018 (the Act). It’s not as all-encompassing as the GDPR, but it will still be a challenge for many companies to adhere to, particularly those which haven’t already revamped their privacy policies and procedures to comply with the GDPR.
The Act won’t be enforced until the year 2020. For reasons we’ll explain shortly, though, the time to take action is now. Companies which wait until late 2019 to figure out what do about the Act could find themselves in trouble.
Here’s what you need to know.
What Is The California Consumer Privacy Act?
The Act was passed by California’s Legislature and signed by the Governor in June of 2018. It was rushed through the lawmaking process in just days, in order to kill a similar measure scheduled to be on the November ballot. The reason: if California voters approved the ballot initiative, it would be very difficult to change later. This way, the legislature can amend it at any time.
In a nutshell, the law guarantees California residents a number of rights regarding the personal information a business collects about them:
- the right to know what information has been collected, where it came from, and whether (and to whom) the information is being sold or shared
- the right to have most of their personal information deleted upon request
- the right to tell businesses not to share or sell their personal information
- the right to be treated equally by the business, whether they allow collection or sharing of their information or not
“California residents” are defined as individuals who are subject to the state’s tax laws because of their place of residence. However, just as with the GDPR, online businesses rarely do business just in their home state, and it would be complicated and expensive for a company to “sift out” California residents from all other surfers and customers. That’s why companies throughout America (and many in other nations) are best served by ensuring that they comply with the provisions of the Act, whether or not their primary client base is located in California.
Timing of the Act
This is a tricky one. The California Consumer Privacy Act takes effect on January 1, 2020. However, there are currently provisions which allow officials to “look back” at whether companies complied with some provisions of the Act during the 2019 calendar year – and enforce them retroactively in 2020. The law is still being “tinkered with,” though, so that may change. The best advice is to consult with an Internet attorney as soon as possible, to establish a timeframe for any website changes which may be necessary.
Who Is Impacted by the Act?
The California Consumer Privacy Act regulates for-profit companies which do business in the state, and which collect and have control over personal information from consumers. That includes operating a website that collects information from visitors, even if the visitors don’t make a purchase.
Some businesses, however, are exempt. There are three thresholds set by the Act, and a company which meets or exceeds any one of them must comply with the provisions of the law:
• Gross annual revenues of $25 million or more
• Collection, purchase, sale or sharing of personal information of more than 50,000 consumers per year
• Earns more than 50% of annual income from the sale of consumers’ personal information
Those thresholds can be trickier than they first appear. For example, a small California company that grosses just $100,000, but earns most of its money from “selling leads” to other firms, would be required to comply with the act. The takeaway: don’t assume that you’re safe just because you’re a small business.
One important question is what it means to “do business” in the state. The Act doesn’t make that clear, but provisions of the California tax and corporation codes imply that it can be read to include any company that “actively engages in any transaction for the purpose of financial or pecuniary gain or profit in California.” In other words, if you’re trying to decide whether you must comply with the California Consumer Privacy Act: better safe than sorry.
It’s estimated that about half-a-million American companies will be required to comply with the provisions of the Act, and California officials are promising to enforce it strongly.
What “Personal Information” Means
In this digital age, the “personal information” that the Act protects is much more than just a consumer’s name, address, email, phone number, billing details and social security number. It also includes unique information that can identify a consumer or their computer or device, such as IPs, geolocation data, customer profile or surfing history inferred from other personal information. It can even regulate seemingly-meaningless data, such as household energy consumption.
One important question which is still up in the air involves the use of website tracking cookies and mobile advertising IDs. They are theoretically regulated by the Act, but there’s an exemption for originally-personal information which is either aggregated or “anonymized” so it can’t be used to identify an individual. The exact way that California authorities will deal with this issue is still unknown, and many online advertising firms and their lawyers are still wrestling with the issue.
Answers on that question, and details on other exemptions which exclude things like “publicly available information,” are best provided by an Internet attorney in your area who can evaluate your company’s situation and make sure that you’re protected in the long run. However, it is expected to be months before we have black and white answers on these issues.
What’s Required by the Act
That Internet attorney we just mentioned will be one of your two best friends when figuring out how your business can comply with the California Consumer Privacy Act; your website designer will be the other. The general requirement of the Act may sound reasonable, but their implementation can be complicated.
For those who want to try and do it themselves, though, or those who simply want to familiarize themselves with what they may need to do, here are the basic compliance steps.
- Companies that sell personal information to third parties, in addition to disclosing that fact, must have an opt-out link on their homepage labeled “Do Not Sell My Personal Information.” (Needless to say, they must also honor all opt-out requests.) There’s one more aspect to the opt-in regulation. Companies can’t sell the personal information of consumers between the ages of 13-15 without an affirmative opt-in in advance. For those younger than 13, their parents must affirmatively opt in for them.
- Companies must also offer two or more ways for consumers to request the information that the Act entitles them to receive – and two are specifically required, a toll-free phone number and a contact method on a website.
Among the data that consumers are entitled to: details of the information the company has collected on them, how it was collected, and who it was shared with. This must all be delivered to the requesting consumer within 45 days, for free.
What concrete steps should be taken to comply with these requirements? We’ll look at that next.
Actions a Company Should Take
Of necessity, this is not an all-inclusive list of what a company needs to do to ensure their website or Internet operations comply with the California Consumer Privacy Act. However, they’re good first steps and an excellent starting point for a discussion with your attorney and/or web developer.
- Map out your current flow of collected information, and ensure systems are in place so that all personal information can be blocked from collection and/or eliminated from deliveries to a third party, depending on user opt-outs.
- Construct systems which allow easy retrieval of personal information from the system, so that it can be delivered in a timely fashion to users requesting it under provisions of the Act. Hire or assign any necessary employees for the task.
- Implement a website age-verification system so visitors under the age of 16 are directed to the proper forms for opt-in or parental opt-in.
- Modify the website to include the required homepage “Do Not Sell My Personal Information” link which leads to a proper, working opt-out form.
- If you are planning to segregate California users from the overall population, ensure that proper measures are in place for that purpose. If you’ve decided to use separate websites or apps for California and non-California visitors, those must be built, and effectiveness must be fully tested.
- Build a working contact form and, if necessary, obtain a toll-free phone number for users to use when requesting their personal information.
Obviously, sitting down with legal counsel and developing a plan of action is the critical step in complying with the Act as every online business has unique characteristics that may need to be addressed in the compliance effort.
Possible Penalties for Violating the Act
Anyone who hasn’t yet been convinced to take California’s action seriously may feel differently after learning that companies can be taken to court by the state for any violations. Penalties are specified in the Act: up to $7500 per incident for intentional violations of any part of the Act, and $2500 per incident for unintentional violations, if the violations aren’t fixed within one month.
Naturally, “per incident” fees can pile up quickly if your website, systems or responses aren’t up to par.
There’s one more potential penalty for not properly protecting personal information: a company suffering a data breach is liable for damages of $100-$750 paid to every California resident whose information was stolen, or actual damages if they turn out to be greater. Those can add up quickly as well and are just one more incentive to be prepared ahead of time.
Is GDPR Compliance Enough?
A company that has just gone through a rigorous exercise to prepare for implementation of the GDPR may feel confident that if its systems are good enough for the European Union, they’re good enough for California. That’s not necessarily the case.
First of all, the Act defines personal information differently than the GDPR does, and their requirements and regulations dealing with website disclosures, methods of requesting personal data and the data which must actually be provided all differ.
In addition, restrictions on sharing or selling data to third parties are stricter in the Act than they are in the GDPR, and the California Act gives companies a much narrower option to charge different prices or offer different services based on opting-in to data collection.
The bottom line: most companies will have to take additional steps to adhere to the requirements of the California Consumer Protection Act, even if they’ve already complied with the GDPR. It’s best to start evaluating compliance with the Act and making any necessary changes sooner rather than later.
A privacy revolution. Who would’ve guessed?
Richard A. Chapo, Esq.