In June, California passed a sweeping new privacy law that will impact an estimated 500,000 businesses in the United States. The California Consumer Privacy Act of 2018, AB 375 (CaCPA) is the first U.S. law to grant consumers extensive rights as to their personal information and how businesses handle it. Similar to the European Union's newly-minted GDPR, the CaCPA is intended to further the right of privacy, which is constitutional in nature in California. The law requires companies to be transparent with consumers regarding the categories of personal information being collected and how that information is disclosed and shared. Specifically, the law will grant consumers increased access to their personal information, the option to direct businesses to delete that information, and additional control concerning the sale and sharing of their personal information. Should any consumer exercise these rights, the CaCPA prohibits businesses from discriminating against them by charging a different price or providing a different service in response. As the law will not take effect until January 1, 2020, amendments are expected in the interim. The California legislature approved the first set of amendments in late August to make technical corrections.

New Rights and Obligations Under the CaCPA

The CaCPA grants "consumers," defined as California residents, more power and control over their personal information held by businesses than ever before. Under the new law, California consumers will have the power to direct businesses to delete or refrain from selling their personal information under certain circumstances. The CaCPA also completely prohibits businesses from selling the personal information of a consumer between 13 and 16 years of age unless the sale is affirmatively authorized by the consumer or their parent or guardian. In the case of consumers under the age of 13, the authorization must be by the parent or guardian.

The CaCPA grants rights that will give consumers access to information about the data collection and processing practices of businesses, including information concerning:

  1. the categories and specific pieces of personal information businesses are collecting and processing about the consumer;
  2. whether personal information is being sold;
  3. the purpose for which the personal information is being collected or processed;  and
  4. the categories of third parties with whom the business shares or sells the personal information.

The CaCPA also contains detailed requirements regarding consumer requests. First, businesses must make available to consumers two or more designated methods for submitting requests for information, including a toll-free telephone number and website if the company maintains one. Second, businesses must disclose and deliver the requested information to consumers free of charge within 45 calendar days. Businesses will also be expected to comply with the Act's specific instructions regarding the content of their websites and online privacy policies. Websites must contain clear and conspicuous links that enable customers to opt out of the sale of their personal information, although the law allows for some flexibility on how to implement certain of these new changes.

Businesses will be prohibited from discriminating against consumers who exercise their privacy rights by denying them goods or services, providing a different level of quality of those goods or services, or charging different prices or rates. Businesses will even be prohibited from suggesting that they may deny services or charge a different price if consumers exercise these privacy rights. However, the law allows businesses to charge a different price, or offer a different quality of goods or services if the difference "is directly related to the value provided to the consumer by the consumer's data." Despite these restrictions, the new law does authorize businesses to offer financial incentives for the collection of personal information, including payments to consumers.

The Scope of the New Law

Similar to the GDPR's definition of personal data, the CaCPA applies to "personal information" that is broadly defined to include IP addresses, browsing history, and even inferences drawn from any of the identified information that creates a profile reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

As for who the law will impact, the CaCPA specifies that it will only apply to certain types of businesses that collect and process the personal information of California consumers. Specifically, the law defines "business" to mean one that is either a sole proprietorship, partnership, LLC, corporation, association or other legal entity organized or operated for the financial benefit of its shareholders or other owners, that (1) collects consumers' personal information, (2) determines the purposes and means of the processing of consumers' personal information, and (3) does business in California. The business must also satisfy one of the following conditions:

  1. have annual gross revenues in excess of $25 million;
  2. alone or in combination, annually buy, sell, or receive or share for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or
  3. derive 50 percent or more of annual revenues from selling consumers' personal  information.

The CaCPA will also apply to any entity that controls or is controlled by a qualifying business and that shares common branding with that business. While the definition of "business" makes clear that bigger businesses like Google and Facebook will fall within the scope of the CaCPA, even small startups could be subject to CaCPA requirements if they are in the business of buying, selling, receiving, or sharing the personal information of California consumers.

Importantly, the law will not apply to protected health information that is already regulated under HIPAA, the Gramm-Leach Bliley Act (GLBA), the Driver's Privacy Protection Act (DPPA), or personal information covered by the Fair Credit Reporting Act. Because the exemptions apply specifically to information that is subject to regulation, and not entire entities, businesses will need to pay close attention to the particular information at issue in each instance.

The CaCPA also includes an extraterritorial limitation which states that the law will not restrict a business' ability to collect or sell consumer personal information so long as "every aspect of that commercial conduct" occurs outside California. This means that the consumer must be outside of California while their data is being collected and processed, and the collection and processing must occur outside of the state as well.

Consequences of Non-Compliance

The statutory damages allowed for under the CaCPA could be staggering, as they can range between $100 and $750 "per incident or actual damages, whichever is greater." In determining the amount of damages, courts may consider the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct and length of time over which it occurred, the willfulness of the misconduct, and the defendant's assets, liabilities, and net worth. After certain requirements are met, the law allows consumers to bring a private right of action in the event their personal information is subject to unauthorized access or disclosure.

The Attorney General may also institute a civil action, and can seek up to $7,500 for each intentional violation. The law will create a new Consumer Privacy Fund to offset costs incurred by the Attorney General and the courts in these efforts.

What Prompted the New Legislation?

A brief history of the CaCPA's passage helps to contextualize the new law. The bill was passed swiftly in a last-minute effort to evade a ballot measure initiated by a real estate mogul. The ballot initiative was the first attempt at this sweeping privacy law, albeit a stricter version, and would have been voted on in November 2018. However, an initiative passed by the people would be much more difficult to amend in the future than a law passed by the legislature. The technology industry and the legislature negotiated with the ballot initiative campaign, which ultimately agreed to withdraw the proposal if the CaCPA, in its current form, was passed. The legislature fast-tracked the bill and it was passed in a matter of days.

The Future of the Act

As businesses continue to lobby for modifications to the Act, the California legislature approved the first set of amendments on August 31. Although the amendments were mainly aimed at fixing technical errors, they also made substantive changes to certain provisions of the Act. Notably, the Act initially gave the Attorney General until January 1, 2020, to adopt implementing regulations. The amendments extended that deadline until July 1, 2020, at least with respect to the privacy requirements of the Act. Furthermore, the Attorney General is not required to begin enforcing the privacy requirements until six months after the publication of final regulations or until July 1, 2020, whichever occurs first. The amendments also expanded the scope of the HIPAA, GLBA, and DPPA exceptions, and narrowed the private right of action to instances involving data security breaches. Businesses should continue to be vigilant in tracking the development of the Act and preparing for its effective date in 2020.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.