What U.S. Businesses Need to Know about the California Consumer Privacy Act of 2018

Privacy Alert

The California Consumer Privacy Act of 2018 (the “Act”) is the first wide-reaching legislation to be enacted in the U.S. in response to increasing consumer outrage over the use and exploitation of personal data by Cambridge Analytica. The Act contains far-reaching provisions aimed at protecting the rights of California residents to their personal information. These rights include:

  1. The right to know what personal information is being collected;
  2. The right to know whether one’s personal information is being sold or disclosed, and to whom;
  3. The right to say no to the sale of one’s personal information;
  4. The right to access personal information that has been collected; and
  5. The right to receive equal service and be charged an equal price, regardless of whether one exercises their privacy rights.

The following is a primer on what U.S. businesses should know about the Act, which becomes effective January 1, 2020:

What “personal information” is protected by the Act?

The Act defines “personal information” broadly as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Examples of personal information include a name, address, IP address, purchasing history, biometric information, internet search history, and geolocation data. However, “personal information” does not include information that is publicly available from federal, state, or local government records, so long as the information is used for a purpose that is “compatible with the purpose for which the data … is publicly maintained.”

Does the Act apply to my business?

If you do business in the State of California and your business meets any of the following thresholds, you need to comply with the Act:

  • Annual gross revenues of the business exceed $25 million;
  • The business annually buys, receives, sells, or shares the personal information of more than 50,000 consumers, households, or devices annually; or
  • The business derives 50% or more of its annual revenues from selling consumers’ personal information.

Does the Act require me to update my privacy policy?

Yes. The Act contains specific requirements for what businesses must include in their privacy policies. For example, the privacy policy must:

  • Describe the consumers’ rights protected by the Act;
  • List the categories of personal information collected from consumers;
  • List the categories of consumers’ personal information that the business sold in the past 12 months; and
  • List the categories of consumers’ personal information that the business disclosed to third parties in the preceding 12 months.

The Act also requires businesses to update their websites to include a page showing consumers how they can opt out of the sale of their personal information. The privacy policy should link to this page.

Does my business need to make these changes for all of its customers?

No. The Act allows businesses to set up a separate website that is compliant with the Act, which is targeted just at California consumers.

Can I offer different service levels or charge different prices to customers who let me sell their data?

The Act specifically prohibits businesses from discriminating against consumers who exercise the data privacy rights protected by the Act. For example, you cannot deny a consumer goods or services, charge them different prices or rates (including through the use of discounts or penalties), provide a different level or quality of goods or services, or suggest that the consumer will receive a different price or service level if they exercise any of their protected rights.

However, the Act does permit a business to charge a different price or provide a different level or quality of service “if the difference is reasonably related to the value provided to the consumer by the consumer’s data.”

And the Act also allows you to offer financial incentives for consumers who permit the collection or sale of their personal information so long as you notify the consumer of the financial incentives and the incentives are not “unjust, unreasonable, coercive, or usurious in nature.”

Can a consumer ask me to delete personal information that I have collected about them?

Yes; however, the Act contains a number of exceptions that will allow you to retain the consumer’s personal information for permitted purposes.

Will I need to be able to respond to consumers’ requests about my data collection practices?

Yes. California residents have the right to ask you to disclose:

  • The categories of personal information you collect;
  • The categories of sources from which you collect personal information;
  • Your business or commercial purpose in collecting or selling personal information;
  • The categories of third parties with whom you share personal information; and
  • What specific pieces of personal information you have collected about any consumer.

If I sell personal data, will I need to be able to respond to consumers’ questions regarding my data sales practices?

Yes. California residents have the right to ask you to disclose:

  • The categories of personal information that you have sold;
  • The categories of third parties to whom you have sold personal information;
  • Whether the requesting consumer’s personal data was sold;
  • The categories of personal information you have disclosed to third parties for a business purpose; and
  • Whether the requesting consumer’s personal data was disclosed to a third party.

Can I sell the personal information of a minor?

No, you must obtain specific consent before you can sell a California minor’s personal information. Children between the ages of 13 and 16 may consent to the sale of their personal information. You must obtain consent from the child’s parent or guardian if the child is under 13.

If I do not comply with the Act, what penalties will I face?

The Act creates a private right of action, allowing consumers to bring suit for statutory damages or injunctive relief if a business violates the Act. Willful violations can be penalized with fines of up to $7,500 per violation.

The Act requires businesses in California to provide greater transparency into their data collection and sales practices than has previously been required in the U.S. and we expect other states may follow California’s lead and enact similar legislation. Compliance with the Act will likely require businesses to update their websites, privacy policies, and IT infrastructure.

The requirements of the Act are detailed and highly technical. You should consult data privacy counsel to ensure your business is compliant with the Act before it becomes effective January 1, 2020.

For more information on the Act, contact Sigmund D. Schutz at [email protected] or Rue K. Toland at [email protected]