July 11, 2018 Article

What U.S. Businesses Need to Know about the California Consumer Privacy Act of 2018

Privacy Alert

The California Consumer Privacy Act of 2018 (the “Act”) is the first wide-reaching legislation to be enacted in the U.S. in response to increasing consumer outrage over the use and exploitation of personal data by Cambridge Analytica. The Act contains far-reaching provisions aimed at protecting the rights of California residents to their personal information. These rights include:

  1. The right to know what personal information is being collected;
  2. The right to know whether one’s personal information is being sold or disclosed, and to whom;
  3. The right to say no to the sale of one’s personal information;
  4. The right to access personal information that has been collected; and
  5. The right to receive equal service and be charged an equal price, regardless of whether one exercises their privacy rights.

The following is a primer on what U.S. businesses should know about the Act, which becomes effective January 1, 2020:

What “personal information” is protected by the Act?

The Act defines “personal information” broadly as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Examples of personal information include a name, address, IP address, purchasing history, biometric information, internet search history, and geolocation data. However, “personal information” does not include information that is publicly available from federal, state, or local government records, so long as the information is used for a purpose that is “compatible with the purpose for which the data … is publicly maintained.”

Does the Act apply to my business?

If you do business in the State of California and your business meets any of the following thresholds, you need to comply with the Act:

  • Annual gross revenues of the business exceed $25 million;
  • The business annually buys, receives, sells, or shares the personal information of more than 50,000 consumers, households, or devices annually; or
  • The business derives 50% or more of its annual revenues from selling consumers’ personal information.

Does the Act require me to update my privacy policy?

Yes. The Act contains specific requirements for what businesses must include in their privacy policies. For example, the privacy policy must:

  • Describe the consumers’ rights protected by the Act;
  • List the categories of personal information collected from consumers;
  • List the categories of consumers’ personal information that the business sold in the past 12 months; and
  • List the categories of consumers’ personal information that the business disclosed to third parties in the preceding 12 months.

The Act also requires businesses to update their websites to include a page showing consumers how they can opt out of the sale of their personal information. The privacy policy should link to this page.

Does my business need to make these changes for all of its customers?

No. The Act allows businesses to set up a separate website that is compliant with the Act, which is targeted just at California consumers.

Can I offer different service levels or charge different prices to customers who let me sell their data?

The Act specifically prohibits businesses from discriminating against consumers who exercise the data privacy rights protected by the Act. For example, you cannot deny a consumer goods or services, charge them different prices or rates (including through the use of discounts or penalties), provide a different level or quality of goods or services, or suggest that the consumer will receive a different price or service level if they exercise any of their protected rights.

However, the Act does permit a business to charge a different price or provide a different level or quality of service “if the difference is reasonably related to the value provided to the consumer by the consumer’s data.”

And the Act also allows you to offer financial incentives for consumers who permit the collection or sale of their personal information so long as you notify the consumer of the financial incentives and the incentives are not “unjust, unreasonable, coercive, or usurious in nature.”

Can a consumer ask me to delete personal information that I have collected about them?

Yes; however, the Act contains a number of exceptions that will allow you to retain the consumer’s personal information for permitted purposes.

Will I need to be able to respond to consumers’ requests about my data collection practices?

Yes. California residents have the right to ask you to disclose:

  • The categories of personal information you collect;
  • The categories of sources from which you collect personal information;
  • Your business or commercial purpose in collecting or selling personal information;
  • The categories of third parties with whom you share personal information; and
  • What specific pieces of personal information you have collected about any consumer.

If I sell personal data, will I need to be able to respond to consumers’ questions regarding my data sales practices?

Yes. California residents have the right to ask you to disclose:

  • The categories of personal information that you have sold;
  • The categories of third parties to whom you have sold personal information;
  • Whether the requesting consumer’s personal data was sold;
  • The categories of personal information you have disclosed to third parties for a business purpose; and
  • Whether the requesting consumer’s personal data was disclosed to a third party.

Can I sell the personal information of a minor?

No, you must obtain specific consent before you can sell a California minor’s personal information. Children between the ages of 13 and 16 may consent to the sale of their personal information. You must obtain consent from the child’s parent or guardian if the child is under 13.

If I do not comply with the Act, what penalties will I face?

The Act creates a private right of action, allowing consumers to bring suit for statutory damages or injunctive relief if a business violates the Act. Willful violations can be penalized with fines of up to $7,500 per violation.

The Act requires businesses in California to provide greater transparency into their data collection and sales practices than has previously been required in the U.S. and we expect other states may follow California’s lead and enact similar legislation. Compliance with the Act will likely require businesses to update their websites, privacy policies, and IT infrastructure.

The requirements of the Act are detailed and highly technical. You should consult data privacy counsel to ensure your business is compliant with the Act before it becomes effective January 1, 2020.

For more information on the Act, contact Sigmund D. Schutz at [email protected] or Rue K. Toland at [email protected]

Firm Highlights

Press Coverage

The Maine Monitor Sues York County for Jail Call Records

On August 2, The Maine Monitor filed a lawsuit against York County, challenging the County's denial of reporter access to public records that may detail times it has recorded confidential conversations between defendants being held at the...

Publication

The Latest from OSHA on Mitigating and Preventing the Spread of COVID-19 at Work

On the tails of updated guidance from other agencies, the U.S. Department of Labor Occupational Safety and Health Administration ("OSHA") released new pandemic-related guidance last month. This guidance was issued on June 10, 2021...

News

Attorney Daniel Rapaport Selected by Peers as “Lawyer of the Year” in Best Lawyers in America 2022

Preti Flaherty attorney Daniel Rapaport has been recognized in Best Lawyers in America 2022 as the “Lawyer of the Year” in the field of Personal Injury Litigation – Defendants. Inclusion in Best Lawyers in...

News

46 Preti Flaherty Attorneys Selected by Peers for Inclusion in Best Lawyers in America 2022, Including 3 “Lawyers of the Year”

Forty-six Preti Flaherty attorneys have been named to Best Lawyers in America 2022, including four “Ones to Watch” and three “Lawyer of the Year” recipients. Inclusion in Best Lawyers in America is considered a...

News

Preti Flaherty Welcomes Cameron Ferrante, Paola Maymi, and Anne Sedlack to the Firm

Preti Flaherty is pleased to announce the arrival of three new members to the firm: Cameron A. Ferrante, Paola A. Maymi, and Anne E. Sedlack. Cameron Ferrante is a graduate of Northeastern University School...

Publication

What to do When a Lender Receives a Notice from the Municipality that Mortgaged Property is Going to be Condemned or is in Violation of the Building Code?

Occasionally, a lender will be served a notice from a municipality alerting the lender that a mortgaged property has had unpermitted construction projects, or otherwise violates the municipal building code. The Maine Uniform Building...

Publication

Understanding the New COVID-19 Vaccine Mandate for Healthcare Workers

Many Maine healthcare facilities were already in the process of evaluating, drafting, and implementing mandatory vaccine policies when the Maine Department of Heath and Human Services issued an Emergency Routine Technical Rule on the...

News

Attorney Joseph Donahue Selected by Peers as “Lawyer of the Year” in Best Lawyers in America 2022

Preti Flaherty attorney Joseph Donahue has been recognized in Best Lawyers in America 2022 as the “Lawyer of the Year” for the Augusta region in the field of Administrative/Regulatory Law. Inclusion in Best Lawyers...

Publication

Legislative Alert: Maine Legislature Adjourns!

The First Special Session of the 130 th Legislature finally adjourned on Monday night, July 19 th . As many of you may remember, the First Regular Session ended in March 30th when the...

Publication

New Maine Law Limits Employers’ Ability to Request Applicant Criminal History Information

Last month Governor Mills signed into law LD 1167, “An Act Relating to Fair Chance in Employment.” Maine joins a growing number of states in adopting a “ban-the-box” law that restricts employers’ ability to...