As most people started to wind down for the July 4th holiday week, California was just ramping up its “as California goes” focus on data privacy. On June 28, 2018, California passed a comprehensive data privacy bill that has been touted as the strictest in the nation.
The good news first—businesses have until January 1, 2020, to revamp privacy compliance programs, update policies, procedures and processes, and operationalize the sweeping new changes passed by the California legislature. The not-so-good news for businesses, however, is that this new law proposes a significant number of restrictions to the way businesses collect, use, store, and share personal data. In addition, consumers now have a private right of action for certain disclosures or loss of personal data. While the new California Consumer Privacy Act of 2018 amends Sections 1798.100 through 1798.198 of the California Civil Code, there is still a lot of uncertainty as to what specific requirements may be revised in the next 18 months.
This initial overview provides a few high-level practical questions to help your company get a head start on determining how best to implement this new legislation. Bradley will continue its review and coverage of this law in an ongoing series devoted to state privacy law updates, so please check back here for more information.
Who Is Affected?
According to some accounts, the act will apply to more than 500,000 U.S. companies and has the potential to affect hundreds of thousands more companies worldwide. Additionally, even though the law does not apply to information already regulated under various federal laws, it does apply to entities traditionally covered by regulations such as the Gramm-Leach Bliley Act, the Fair Credit Reporting Act, and the Health Insurance Portability and Accountability Act.
Any company that meets certain criteria and receives personal data from California residents must comply with the new statute. Note that although the act is touted as a “consumer privacy” law, California has broadly defined consumer to include “any natural person who is a California resident.”
Under the act, any company that (1) has an annual gross revenue of $25 million, (2) obtains personal information of 50,000 or more California residents, households or devices annually, or (3) derives 50 percent or more annual revenue from selling California residents’ personal information would be a covered entity under the statute. Note that parent companies and subsidiaries using the same branding are covered, even if those companies and subsidiaries do not exceed the applicable thresholds.
Why Is This Different?
In passing the act, legislators declared that it was their intent to provide Californians with specific rights to privacy, including: (1) the right to know what personal information is being collected about them; (2) the right to know whether their personal information is being sold or disclosed and to whom; (3) the right to say no to the sale of personal information; and (4) the right to access and delete their personal information.
Additionally, as currently drafted, “personal information” is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The broad nature of this definition encompasses data that relates not just to a single individual, but an entire household—effectively encompassing information regarding web browsing histories, IP addresses, energy consumption, or other general information—even if no individual name is associated with it.
What Can I Do Now?
First and foremost, understand what data you collect. The concept of data mapping has been recommended by privacy professionals for some time, however, this new act makes it even more pertinent that companies map and inventory data. What information does your company collect on California residents? What are those sources of data? Is the information shared with third parties and in what context? These and many other questions will need to be answered before an entity can evaluate whether the new act will apply and in what ways the company may need to alter its practices or update its policies and procedures.
In addition, companies should start to consider whether or not current systems and processes will allow compliance with the new rights afforded to consumers, such as the ability to verify the identity of persons who make requests for data deletion, access or transfer. Also, how will companies store and maintain records on consumers who have opted out of data sharing or made a request for information?
Although the implementation of the new act is still another 18 months away, companies should begin the process of assessing the act’s impact on business processes, operations and data handling practices. Additionally, anyone affected by the act should pay close attention to potential revisions and changes to the law as we move toward January 1, 2020.