On June 28, 2018, Governor Jerry Brown signed into law the California Consumer Privacy Act of 2018. Authored by Assemblyman Ed Chau (D – Arcadia), the California Consumer Privacy Act is heralded as the toughest and most comprehensive law ever enacted to protect California consumers against the sale and dissemination of their personal information by companies doing business in the state. This new law is the byproduct of recent high-profile data breaches (Target, Home Depot, Equifax, etc.) and Facebook’s highly publicized scandal wherein the social networking giant allowed a third-party, Cambridge Analytica, to improperly access key personal data on millions of its users.
While the California Consumer Privacy Act does not go into effect until January 1, 2020, smart business owners and executives are already taking steps to protect their companies from potential liabilities and risks that lie ahead. If you own a business in California, continue reading for a general primer on what this new law entails and how you can start protecting your business.
To Whom Does the California Consumer Privacy Act of 2018 Apply?
First, let’s examine what companies the California Consumer Privacy Act imposes duties upon. The California Consumer Privacy Act applies to any company that does business in the State of California “that collects consumers’ personal information” for the financial benefit of the company that (a) has annual gross revenues in excess of $25M, or (b) annually buys, receives or sells the personal information of 50,000 or more California consumers, households or residents, or (c) derives 50% or more of its annual revenues from selling consumers’ personal information.
While the law directly targets large data-aggregation and social media companies that traffic in the sale of personal information of its users (or other companies’ users), the law will likely have a far-reaching impact upon most companies doing business in California, not just those in Silicon Valley. If you are a for-profit company that routinely utilizes, collects, develops or buys lead lists or other types of target marketing information, the California Consumer Privacy Act may apply to you.
Businesses are exempt from complying with the law under very limited circumstances such as when a consumer directs a business to intentionally disclose personal information or if the disclosure of personal information must be shared with a service provider to perform a business purpose so long as notice of the disclosure is provided to the consumer and the service provider does not further collect, sell or use the personal information of the consumer outside of the stated business purpose.
What Does the California Consumer Privacy Act Require My Business to Do?
Under the California Consumer Privacy Act, a California consumer has the right to request that a qualifying business disclose to that consumer the categories and specific pieces of personal information the business has collected about the consumer. The consumer also has the right to request that a business delete any personal information about the consumer which the business has collected from the consumer. If the business sells the consumer’s personal information, the consumer has the right to request that the business disclose to that consumer the categories of personal information about the consumer collected, the categories of personal information sold, and the identity of the entity(ies) to whom the information was sold. Finally, the consumer has the right to direct a business that sells personal information about the consumer to third parties to not sell the consumer’s information or to “opt out.”
The qualifying business must comply with the law and cannot discriminate or retaliate against the consumer for exercising any of the consumer’s rights under the California Consumer Privacy Act (i.e. denying goods or services, providing different levels of quality, charging different prices for goods or services in an attempt to coerce a consumer).
While some commentators have compared the California Consumer Privacy Act to Europe’s General Data Protection Regulation (“GDPR”) or California’s groundbreaking Data Breach Notification law, the scope and type of personal information encompassed by the California Consumer Privacy Act is broader in some respects. For example, “personal information” is broadly defined in the California Consumer Privacy Act as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The types of “personal information” protected in the California Consumer Privacy Act include, but are not limited to, “identifiers” (e.g. real name, postal address, email address, social security number, driver’s license number, etc.), commercial information (e.g. records of personal property, purchasing histories, etc.), biometric information, internet or electronic network activity, geolocation data, professional or employment-related information, or inferences drawn from “personal information” to reflect a consumer’s preferences, characteristics, trends, or preferences.
Should a business receive a “verifiable consumer request” to disclose the above-referenced information regarding the use or collection of the consumer’s “personal information,” the business must disclose and deliver the required information to the consumer free of charge within 45 days of receiving the request from the consumer. The time period to respond may only be extended when reasonably necessary or as specifically outlined in the California Consumer Privacy Act . Interestingly, the business’s disclosure must cover the 12-month period of activity preceding the business’s receipt of the verifiable request. Consumers are limited to 2 requests in a 12-month period.
What Are the Penalties & Risks?
As with California’s Data Breach Notification law, the California Consumer Privacy Act of 2018 empowers the California Attorney General to enforce its provisions through the initiation of a civil action against those businesses that fail to comply. Any person, business or service provider that intentionally violates the California Consumer Privacy Act may be liable for a civil penalty of up to $7,500 for each violation. Before bringing suit, the Attorney General must notify the business of the alleged noncompliance. However, if the business fails to cure any alleged violation within 30 days after being notified, the business will be in violation of the law.
Importantly, the California Consumer Privacy Act also allows a consumer to institute a direct civil lawsuit against a business if the consumer’s unencrypted or nonredacted personal information is subjected to unauthorized access, theft or disclosure as a result of the business’s “violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” Before initiating the lawsuit, the consumer must provide the business with notice of an alleged violation and give the business 30 days to cure. The consumer must also notify the Attorney General of the alleged violation wherein the Attorney General may prosecute the action against the business directly, refrain from acting (allowing the consumer to bring the lawsuit), or may bar the consumer from proceeding with the action.
If the consumer completes these hurdles and brings suit against the business, it can recover damages in an amount not less than $100 and not greater than $750 per customer per incident or actual damages, whichever is greater. Depending on the size and scope of the violation, these damages can be substantial.
How Can I Protect My Business?
It is important to keep in mind that the California Consumer Privacy Act will be updated, amended and clarified prior to its January 1, 2020 effective date and thereafter. Nonetheless, there are several steps businesses can take to prepare themselves prior to this landmark law going into effect.
Do not collect or retain personal information about customers – If the collection and retention of personal information regarding your customers is not a business necessity, simply do not do it. While you should always consult with an attorney before destroying any business records that you may have a legal obligation to retain, the California Consumer Privacy Act does not require businesses to retain or collect personal information if companies are not engaged in the business of collecting this data. The easiest way to limit or obviate your company’s obligations under the California Consumer Privacy Act is to refrain from buying, renting, gathering, obtaining, or selling personal information pertaining to consumers, to the extent possible.
Obtain a cyber liability insurance policy – Cyber liability insurance policies or simply “cyber policies” have grown in popularity in the last several years and are now commonly obtained by a variety of businesses, especially companies in the financial and professional services industries. Cyber policies are typically designed to respond to data breaches, hacks, and the cost of defending or resolving corresponding regulatory investigations. However, it is likely that the insurance industry will modify or expand the cyber policies on the market to specifically address the costs associated with the forthcoming statutory obligations and litigation that will arise from the California Consumer Privacy Act. After all, the fines and penalties set forth in the California Consumer Privacy Act are insurable. If your company has been holding off on obtaining a cyber liability policy, now is a good time to look into this coverage.
Consult with an Attorney – Even if you are not a company in Silicon Valley or Silicon Beach, the sweeping provisions of the California Consumer Privacy Act will impact your company if you are doing business in California. Long before the California Consumer Privacy Act takes effect in 2020, businesses should consult with qualified counsel to evaluate the applicability of the California Consumer Privacy Act to their respective business operations and to develop a strategic response plan should consumers exercise any of the rights outlined therein. The California Consumer Privacy Act contains specific requirements for compliance and tight deadlines to complete investigations and respond to requests from consumers. Consulting with an attorney before the California Consumer Privacy Act goes into force is highly recommended.