For our clients that do business in California and collect personal information of California residents, it is advisable to understand California’s new Consumer Privacy Act of 2018 (the “Act”) and to start preparing for compliance with the Act, if the Act applies to your business.
Who should prepare for the Act?
The Act applies to any “covered business” that (i) does business in California, (ii) collects California consumers’ “personal information”, and (iii) satisfies one or more of the following thresholds: (A) annual gross revenues over $25 million; (B) buys, receives, sells, or shares (for commercial purposes) the personal information of 50,000 or more Californian consumers, households or devices; or (C) derives 50% or more of its annual revenues from selling California consumers’ personal information.
The Act defines “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Under this definition, the scope of personal information covers almost any data that a company may collect or maintain about a consumer, and even the consumer’s household.
When should companies start preparing for the Act?
It deserves special attention that the Act has a 12-month look-back rule. Once the Act goes into effect on January 1, 2020, consumers will have the right to request all the data a company has collected on them over the previous 12 months, starting from January 1, 2019. For a company that falls into the scope of covered business under the Act, the company needs to start taking actions now to comply with the Act.
What happens if a company fails to comply with the Act?
If a company is not in compliance with the Act, for each violation, the California Attorney General may enforce a civil penalty ranging from $2,500 to $7,500. The Act also provides for statutory damages of $100-$750, or actual damages, whichever is greater, for consumers whose personal information is compromised in a data breach due to a failure to implement reasonable security safeguards appropriate for the type and sensitivity of the personal information the company processes.
What should companies do to prepare for compliance with the Act?
Data mapping for consumers’ right to know and to request for access
Companies should start data mapping and have their data tracking systems in place as early as the beginning of 2019. When a consumer requests for a report under the Act, the company has 45 days to provide the consumer a comprehensive report about what type of information it has, for what purpose, whether the information was sold, and, if yes, to whom (including name and address). The consumer is entitled to make such requests twice a year. The Act further requires companies to develop ways to verify legitimacy of the requests before providing information to consumers.
Consumer’s privacy choices to opt out or to delete
Companies need to provide consumers the option not to have their data shared with third parties, which is known as the right to “opt-out”. For minors under age 16, the Act requires the companies to obtain consumer’s affirmative consent (parent or legal guardian’s consent if under age 13) before selling their personal information to third parties.
The company must also inform the consumer of his or her right to delete personal information collected and maintained by the company and provide information on how to submit such requests.
Therefore, the company may need to review their systems mechanisms to ensure their systems allow consumers the option to opt out from sharing and the option to delete their personal information data.
Companies cannot discriminate against a consumer if the consumer chooses to exercise his or her rights under the Act, such as the right to opt-out or the right to delete personal information.
Ensuring information security in line with the law
Companies are required to implement and maintain reasonable security procedures and practices appropriate to the sensitivity level of personal information processed by the companies. As mentioned above, failure to do so may expose companies to private right of action if data breach occurs in connection with consumers’ personal information.
Review and Update of Third Party Agreements
If companies use third party service providers in processing personal information of consumers, companies may need to review and update agreements with third-party data processors to ensure compliance with the Act.
Updating privacy policy
Companies will need to revise the privacy policy to include descriptions of consumer’s rights under the Act, and means on how to exercise such rights. Also, please be aware that under the Act, the privacy policy should be updated at least every 12 months.
Note that, in order to comply with the Act, even companies that have recently revised their privacy policy to comply with EU General Data Protection Regulation (GDPR) may need to further update their privacy policy disclosures as discussed above.
If you'd like to know more about the Act, or need assistance updating the privacy policy of the company, please feel free to contact us.