U.S. Consumer Privacy Regulations: California’s Consumer Privacy Act of 2018
On June 28, 2018 California Governor Jerry Brown signed into law the California Consumer Privacy Act of 2018 which goes into effect on January 1, 2020. This is the second privacy-related law at the state level to be passed this year, the first being Vermont’s law relating to data brokers and consumer protection.
In a press release on June 28, 2018 State Senator Bob Hertzberg stated “Today the California Legislature made history by passing the most comprehensive privacy law in the country.” This bill will give California consumers rights regarding their personal information that businesses collect, sell or disclose to third-parties. California consumers will exercise their rights by making requests to businesses.
Depending on your perspective, this bill could be considered a significant step forward in protecting the right to privacy for Californians. When we look at the rights granted by this bill we can start to see similarities to the European Union’s General Data Protection Regulation (GDPR). That is not to say GDPR is the standard that we should be working toward, it is a comprehensive regulation and could be viewed as the baseline to which all future privacy laws will be compared.
Similar to GDPR, the bill requires businesses to update their online privacy policies, provide a “California-specific” description of the privacy rights, and have a link on the business’ Internet homepage title “Do Not Sell My Personal Information”. It also stipulates that a business will need to make available to consumers two or more designated methods of submitting requests including, at a minimum, a toll-free telephone number, and if the business maintains an Internet Website, a Website address.
The last similarity and one that needs to be highlighted is the bills use of encryption as a “reasonable” security. Encryption plays an important role in any business security plan and is part of the strategy not the strategy itself. This bill does not say you must encrypt your data, it says that any “nonencrypted” or “nonredacted” personal information that is part of breach will result in a violation of the duty to implement and maintain reasonable security procedures and practices.
How is personal information defined?
The bill defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Aside from identifiers such as your name, postal address, or email; the bill also includes online identifiers (IP address), electronic network activity information such as browsing history, geolocation data, professional or employment-related information, and biometric information including DNA.
Is my business within scope?
The bill defines a business as “A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for profit or financial benefit of its shareholders or other owners, the collects consumers’ personal information… determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California…”
The bill goes on to stipulate one or more thresholds that must be satisfied to be considered a business under this bill.
- Annual gross revenues in excess of twenty-five million dollars ($25,000,000)
- Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices.
- Derives 50% or more of its annual revenue from selling consumers’ personal information.
If your business meets any one of these thresholds then you are in scope of this bill.
What rights do California consumers have under this act?
The intention of this act is to give Californians an effective way to control their personal information. As a Californian this bill enacts the following rights:
- The right of Californias to know what personal information is being collected about them.
- The right of Californians to know whether their personal information is sold or disclosed and to whom.
- The right of Californians to say no to the sale of personal information.
- The right of californians to access their personal information.
- The right of Californians to equal service and price, even if they exercise their privacy rights.