On the heels of the General Data Protection Regulation (“GDPR”), California is rolling out its own revamped privacy legislation in the form of the California Consumer Privacy Act of 2018 (the “Act”).
The Act will go into effect on January 1, 2020.
Much like GDPR, the Act gives California residents certain additional rights in relation to the collection and use of their personal information. Below is a brief description of some of major components of the Act, but first:
Will the Provisions of the Act Apply to You?
The Act will apply to for-profit businesses that do business in California, collect and control California residents’ personal information, and: (a) have annual gross revenues in excess of $25 million; or (b) receive or disclose the personal information of 50,000 or more California residents, households or devices on an annual basis; or (c) derive 50% percent or more of their annual revenues from selling California residents’ personal information.
This means that non-profits, small businesses, and/or those not generally handling significant amounts of personal information will likely not have to comply with the Act.
Broadening of Definitions
The Act broadens certain data privacy definitions that make its reach more expansive. A couple of important ones to note are:
- The definition of “personal information” now includes any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. The Act provides a sampling of examples of personal information, including device identifiers, other online tracking technologies and “probabilistic identifiers,” which are identifiers that will “more probable than not” identify a consumer or device. The Act does not apply to de-identified or aggregated personal data, as long as the steps taken by the business to de-identify the information meet the Act’s strict standards.
- The definition of “sale” in regards to the sale of personal information now includes selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating personal information to another business or third party for monetary or other valuable consideration.
Under the Act, businesses are required to be more transparent regarding personal information that they collect. Specifically, a business must disclose what type of personal data they are collecting, why they are collecting it and for what purpose, whether they are selling or sharing the data and with whom. Consumers also have the right to request certain information from businesses, including where a business got the consumer’s personal information, the specific pieces of personal information it collected about the consumer, and the third parties with which it shared that information.
The Act also creates a right for consumers to request that a business delete such consumer’s personal information, and the business must provide notice of this right in its online privacy notice. The Act also requires a business that receives a deletion request to direct service providers to delete the personal information from their records as well. Notably, the business is not required to delete the information if it is necessary to maintain the personal information for a certain purpose, such as detecting security incidents and preventing fraud.
Opt Out Right
The Act provides consumers with the right, at any time, to opt out of the sale of the consumer’s personal information to third parties. Businesses that sell personal information to third parties are required to provide notice that personal information may be sold and that consumers have the right to opt out. The business are prohibited from selling the data to third parties absent subsequent express authorization to do so.
The Act prohibits businesses from discriminating against consumers for exercising any of their rights created by the Act. For example, businesses are prohibited from denying goods or services, charging different prices, or providing a different quality of goods or services to consumers who exercise their privacy rights.
GDPR and the Act Are Not One in the Same
Many business may wonder (or assume) that if they are GDPR compliant, then the same must be true of being compliant under the Act. However, though the Act incorporates some GDPR concepts, such as the rights of access and data deletion (noted above), there are several areas where the Act requirements are more specific than those of the GDPR or where the GDPR goes beyond the Act requirements.
Despite the overlap and similarities, the Act and the GDPR are different and businesses should not rely on GDPR-compliance as an indicator that they are Act-compliant.
Companies are best advised to determine early on whether they must comply with the Act and, if so, begin formulating compliance strategies well before it goes into effect.
If you have further questions about the Act or other privacy compliance matters, please contact Heather Sapp at (firstname.lastname@example.org).
– Written by Heather Sapp