The June 28th passage of a new California data privacy law, the California Consumer Privacy Act of 2018 (“Act”) will have its own significant impact. Although the law does not become effective until 2020, and therefore changes are possible, given the economic importance of California, non-Californian businesses would be well-advised to understand its provisions and potential impact.
The Act will apply to for-profit businesses that collect and control California residents’ personal information, do business in the State of California, and: (a) have annual gross revenues in excess of $25 million; or (b) receive or disclose the personal information of 50,000 or more California residents, households or devices on an annual basis; or (c) derive 50 percent or more of their annual revenues from selling California residents’ personal information. The Act also reaches corporate affiliates that share branding with entities that otherwise are subject to the Act.
Some entities are not encompassed under the Act such as small companies and non-profits. While a company without a physical presence in California is not technically encompassed if its “commercial conduct takes place wholly outside of California,” as a practical matter, few businesses entering transactions with Californians will satisfy this test given the broad definition of commercial conduct such as a web site’s use by Californians.
One of the most significant aspects of the Act is the broad scope of personal information encompassed. The Act’s “personal information” definition includes information that is identifiable to a household, not necessarily only a consumer, and includes unique personal identifiers, device identifiers, and other online tracking technologies.
Under the Act “consumers” (natural persons who are California residents) have certain rights to their personal information, including:
- the right to know what personal information a business has collected about them, what their personal information is being used for, whether it is being disclosed or sold, and to whom it is being disclosed or sold;
- the right to “opt out” of permitting a business to sell their personal information to third parties (an “opt in” is required for persons under 16 years old);
- the right to have a business delete their personal information, with certain exceptions; and
- the right to receive equal pricing and service from a business despite exercising their privacy rights under the Act.
Violations of the Act can lead to an enforcement action by the California Attorney General and, in the case of data theft or unauthorized access, private actions by consumers for damages or injunctive relief, if the Attorney General declines to bring an action.
Finally, it is useful to compare the Act to the recently enacted European Union General Data Protection Regulation (“GDPR”) as businesses are already investing significant resources in compliance with the GDPR. While both are broad ranging privacy laws, there are significant differences between the Act and the GDPR. For instance, unlike the GDPR, the Act does not require companies to obtain user consent to their processing of consumers’ personal information. Instead, the Act requires businesses to offer consumers the opportunity to “opt out” of the sale of their personal information.
Once implemented, the Act has the potential to change privacy law throughout the United States. Businesses based outside California, including non-U.S. businesses, will be subject to its requirements. Companies should begin to assess the Act’s potential impact in advance of its January 2020 implementation.
The information contained in this publication should not be construed as legal advice. Should further analysis or explanation of the subject matter be required, please contact Jonathan Roberts or Katherine Lewis.
Partner, White Collar Crime & Government Investigations
Partner, Intellectual Property
Director of Innovative Ventures