California Privacy Laws
GDPR-style consumer data protection comes home
When Europe’s Global Data Protection Regulation (GDPR) took effect in May 2018, industries everywhere were put on notice regarding the collection, storage, and use of consumer personally identifiable information. The law, which gives consumers broad powers in how companies can or cannot use their data, applies not just to those business entities in Europe, but to any company anywhere in the world, doing business in Europe.
That same type of consumer control has just reached the shores of the United States. Thanks to the California Consumer Privacy Act of 2018 (CCPA), signed into law on June 28, 2018, California consumers now have a very similar level of control over their personal data. What has become the toughest privacy law ever seen in the US, CCPA is poised to impact every industry and reshape what businesses can do with consumer data.
Not every business that handles California consumers’ data is required to comply with CCPA. Companies falling under the new regulation are ones that do business in the state and: (a) possesses or transacts on personal data of more than 50,000 California consumers , (b) have annual gross revenue over $25 million, or (c) derive more than 50% of their revenue from selling a California consumer’s personal information.
CCPA Up Close
What makes CCPA so difficult to navigate lies in the definition of what constitutes consumer personal information. In some of the broadest language ever seen in the US, CCPA labels “personal information” as any data that can potentially relate to an individual – biometric data, behavioral data, cyber data, even browsing history. Compared with GDPR, CCPA gives broader definitions of personal information and imposes more stringent restrictions on the commercial use of information, particularly in the sharing of that information.
However, the law’s full impact will depend on how lawmakers eventually shape the final product. In an effort to avoid a costly battle over a proposed ballot initiative being supported by privacy activists that would impose tighter privacy regulations, the California government quickly passed CCPA ahead of the November elections. Because of the hasty passing of the CCPA, there are inconsistencies and a lack of clarity in the law as passed, which will go into effect January 1, 2020. As a result, the California State Legislature is expected to decide on a number of amendments aimed at further clarifications.
One amendment to CCPA, which further clarifies fines, business rights, and some definitions, has already been passed, with other amendments expected before the law goes into effect. As such, for organizations looking to proactively comply with the law, the challenge of building a compliance model for the new regulation is a moving target until lawmakers are able to pass revisionary language that further clarifies privacy rights and data controller’s responsibilities.
For now, companies should be reviewing the key components of CCPA and outlining changes to how they handle consumer personal information of California consumers.
Currently, the key consumer-protection provisions of CCPA are:
- Right to Know: Businesses must disclose the categories of personal information they are collecting of California consumers and the purposes for which the information is being used. Further, Consumers have the right to request what sources are being used to locate the information, the reason for collecting or selling their personal information, which third parties the business will share the information with, and what specific data has been collected on the consumer.
- Right of access and data portability: Consumers are allowed to request their personal information up to twice per year. Organizations must provide two or more methods for consumers to request their information, one of which must be a toll-free number. Businesses then have 45 days to comply with the request.
- Right to be forgotten: Consumers reserve the right to instruct businesses to delete any and all instances of the consumer’s personal information (with certain exceptions allowed), and businesses are required to inform the consumer of this right.
- Right to opt out: Consumers are granted the right to opt out of any business’s strategy to sell the consumers information, and businesses must inform consumers of this right.
- Right to opt in: Businesses are prohibited from selling the personal information of minors 12 years and younger without parental consent. Businesses must also obtain the consent of those minors 13-16 years of age before selling their information.
- Right not to be discriminated against: Any consumer exercising their rights under the law is protected from discrimination. Businesses are prohibited from discriminating, including offering different prices for the same goods/services, or the unwillingness to offer goods and services in response to the consumer exercising such rights. Exceptions are permitted for price differentials that are reasonably related to the prices or services the business provides to the Consumer.
Additional responsibilities and penalties companies face under CCPA include:
- Granting consumers access rights: This could mean deep architectural changes to organizational internal and external technological infrastructure.
- Heavy statutory penalties: The state Attorney General is authorized to enforce the law and penalties can be imposed up to $7,500 per intentional violation. Additionally, the penalties’ provisions will likely be attractive to plaintiffs’ lawyers as the law also includes a private cause of action in connection with the data breach provision. Penalties for violations of this provision range from $100 - $750 per Consumer per incident, or actual damages, whichever is greater and with no explicit requirement of intent.
- Broad regulatory powers and discretion: The Attorney General of California is given wide-ranging authority to enforce this law and to award fines and impose injunctive relief.
An audit trail is an essential first step to setting up a privacy compliance program."
Because of the onerous nature of CCPA, companies in every industry need to understand their processes for data collection, use, storage, and destruction.
Some management steps your company should be taking include:
- Implementing data tracking: An audit trail is an essential first step to setting up a privacy compliance program. Companies should understand where personal information is coming from, and that the handling of that information is meeting CCPA compliance requirements.
- Conducting a gap analysis: A review of your current privacy policies and responsibilities can uncover exposures that can then be addressed.
- Updating IT and privacy policies: All policies and procedures related to consumer personal information should be updated to reflect CCPA compliance requirements.
- Understanding insurance coverage: Like GDPR, it is anticipated that CCPA fines and penalties will be uninsurable in the majority of the US. However, AXA XL is actively monitoring regulatory developments in California and working towards revising applicable insurance coverage to reflect these increased exposures. Substantive changes are highly probable as lawmakers pass further amendments. Understanding how those changes will impact business is essential.
With the right approach, your company can reduce its exposures and put sensible processes in place that help address privacy regulatory concerns. Working with experts who are well-versed in GDPR-level compliance matters can help your company be better prepared to conduct business within the new CCPA privacy landscape.