Menu

Expect Focus Life Insurance, September 2018

In California, a New Era in U.S. Privacy

Cybersecurity and Privacy   |   Insurance   |   Financial Services Regulatory   |   Life Insurance & Financial Lines   |   Securities & Investment Companies   |   Securities Transactions and Compliance   |   Technology   |   Labor & Employment   |   Banking & Consumer Finance   |   October 1, 2018
Download   
Share Page

In June, California passed a sweeping new privacy law that will impact an estimated 500,000 businesses in the United States. The California Consumer Privacy Act of 2018, AB 375 (CaCPA) is the first U.S. law to grant consumers extensive rights as to their personal information and how businesses handle it. Similar to the European Union’s newly-minted GDPR, the CaCPA is intended to further the right of privacy, which is constitutional in nature in California. The law requires companies to be transparent with consumers regarding the categories of personal information being collected and how that information is disclosed and shared. Specifically, the law will grant consumers increased access to their personal information, the option to direct businesses to delete that information, and additional control concerning the sale and sharing of their personal information. Should any consumer exercise these rights, the CaCPA prohibits businesses from discriminating against them by charging a different price or providing a different service in response. As the law will not take effect until January 1, 2020, amendments are expected in the interim. The California legislature approved the first set of amendments in late August to make technical corrections.

New Rights and Obligations Under the CaCPA

The CaCPA grants “consumers,” defined as California residents, more power and control over their personal information held by businesses than ever before. Under the new law, California consumers will have the power to direct businesses to delete or refrain from selling their personal information under certain circumstances. The CaCPA also completely prohibits businesses from selling the personal information of a consumer between 13 and 16 years of age unless the sale is affirmatively authorized by the consumer or their parent or guardian. In the case of consumers under the age of 13, the authorization must be by the parent or guardian.

The CaCPA grants rights that will give consumers access to information about the data collection and processing practices of businesses, including information concerning:

  1. the categories and specific pieces of personal information businesses are collecting and processing about the consumer;
  2. whether personal information is being sold;
  3. the purpose for which the personal information is being collected or processed;  and
  4. the categories of third parties with whom the business shares or sells the personal information.

The CaCPA also contains detailed requirements regarding consumer requests. First, businesses must make available to consumers two or more designated methods for submitting requests for information, including a toll-free telephone number and website if the company maintains one. Second, businesses must disclose and deliver the requested information to consumers free of charge within 45 calendar days. Businesses will also be expected to comply with the Act’s specific instructions regarding the content of their websites and online privacy policies. Websites must contain clear and conspicuous links that enable customers to opt out of the sale of their personal information, although the law allows for some flexibility on how to implement certain of these new changes.

Businesses will be prohibited from discriminating against consumers who exercise their privacy rights by denying them goods or services, providing a different level of quality of those goods or services, or charging different prices or rates. Businesses will even be prohibited from suggesting that they may deny services or charge a different price if consumers exercise these privacy rights. However, the law allows businesses to charge a different price, or offer a different quality of goods or services if the difference “is directly related to the value provided to the consumer by the consumer’s data.” Despite these restrictions, the new law does authorize businesses to offer financial incentives for the collection of personal information, including payments to consumers.

The Scope of the New Law

Similar to the GDPR’s definition of personal data, the CaCPA applies to “personal information” that is broadly defined to include IP addresses, browsing history, and even inferences drawn from any of the identified information that creates a profile reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

As for who the law will impact, the CaCPA specifies that it will only apply to certain types of businesses that collect and process the personal information of California consumers. Specifically, the law defines “business” to mean one that is either a sole proprietorship, partnership, LLC, corporation, association or other legal entity organized or operated for the financial benefit of its shareholders or other owners, that (1) collects consumers’ personal information, (2) determines the purposes and means of the processing of consumers’ personal information, and (3) does business in California. The business must also satisfy one of the following conditions:

  1. have annual gross revenues in excess of $25 million;
  2. alone or in combination, annually buy, sell, or receive or share for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or
  3. derive 50 percent or more of annual revenues from selling consumers’ personal  information.

The CaCPA will also apply to any entity that controls or is controlled by a qualifying business and that shares common branding with that business. While the definition of “business” makes clear that bigger businesses like Google and Facebook will fall within the scope of the CaCPA, even small startups could be subject to CaCPA requirements if they are in the business of buying, selling, receiving, or sharing the personal information of California consumers.

Importantly, the law will not apply to protected health information that is already regulated under HIPAA, the Gramm-Leach Bliley Act (GLBA), the Driver’s Privacy Protection Act (DPPA), or personal information covered by the Fair Credit Reporting Act. Because the exemptions apply specifically to information that is subject to regulation, and not entire entities, businesses will need to pay close attention to the particular information at issue in each instance.

The CaCPA also includes an extraterritorial limitation which states that the law will not restrict a business’ ability to collect or sell consumer personal information so long as “every aspect of that commercial conduct” occurs outside California. This means that the consumer must be outside of California while their data is being collected and processed, and the collection and processing must occur outside of the state as well.

Consequences of Non-Compliance

The statutory damages allowed for under the CaCPA could be staggering, as they can range between $100 and $750 “per incident or actual damages, whichever is greater.” In determining the amount of damages, courts may consider the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct and length of time over which it occurred, the willfulness of the misconduct, and the defendant’s assets, liabilities, and net worth. After certain requirements are met, the law allows consumers to bring a private right of action in the event their personal information is subject to unauthorized access or disclosure.

The Attorney General may also institute a civil action, and can seek up to $7,500 for each intentional violation. The law will create a new Consumer Privacy Fund to offset costs incurred by the Attorney General and the courts in these efforts.

What Prompted the New Legislation?

A brief history of the CaCPA’s passage helps to contextualize the new law. The bill was passed swiftly in a last-minute effort to evade a ballot measure initiated by a real estate mogul. The ballot initiative was the first attempt at this sweeping privacy law, albeit a stricter version, and would have been voted on in November 2018. However, an initiative passed by the people would be much more difficult to amend in the future than a law passed by the legislature. The technology industry and the legislature negotiated with the ballot initiative campaign, which ultimately agreed to withdraw the proposal if the CaCPA, in its current form, was passed. The legislature fast-tracked the bill and it was passed in a matter of days.

The Future of the Act

As businesses continue to lobby for modifications to the Act, the California legislature approved the first set of amendments on August 31. Although the amendments were mainly aimed at fixing technical errors, they also made substantive changes to certain provisions of the Act. Notably, the Act initially gave the Attorney General until January 1, 2020, to adopt implementing regulations. The amendments extended that deadline until July 1, 2020, at least with respect to the privacy requirements of the Act. Furthermore, the Attorney General is not required to begin enforcing the privacy requirements until six months after the publication of final regulations or until July 1, 2020, whichever occurs first. The amendments also expanded the scope of the HIPAA, GLBA, and DPPA exceptions, and narrowed the private right of action to instances involving data security breaches. Businesses should continue to be vigilant in tracking the development of the Act and preparing for its effective date in 2020.

 

©2018 Carlton Fields Jorden Burt, P.A. Carlton Fields practices law in California through Carlton Fields Jorden Burt, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.

Subscribe to Publications

Disclaimer

The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.