Rather than go forward with a popular ballot initiative for a new state law in November, proponents of a new data privacy law in California compromised with legislators and passed Assembly Bill No. 375, signed by Governor Jerry Brown on June 28, 2018.
The California Consumer Privacy Act of 2018 imposes new requirements on businesses, following the approach of the European General Data Protection Regulation (GDPR) in force since May 25, 2018. What was the goal? Putting ownership and control of personal information back in the hands of consumers and holding businesses up to a higher standard to secure personal information.
Beginning January 1, 2020, Californians will have the following rights:
1. to know what personal information is being collected about them
2. to know whether their personal information is sold or disclosed and to whom
3. to say no to the sale of personal information
4. to access their personal information
5. to equal service and price, even if they exercise their privacy rights
From a practical perspective, unless a business has the capacity to treat Californians differently in their systems from all other consumers, the California law may encourage businesses to take this approach with all personal information. So what changes will businesses be implementing to comply with the new law?
Toll-Free Numbers and Email Addresses
Privacy policies that apply to Californians must be transparent and tell the consumer the categories and specific pieces of personal information the business has already collected, upon the receipt of a "verifiable consumer request." The business must have, at a minimum, a toll-free number and an email address for the consumer to use in submitting the request. In response, the business must deliver, for free, by mail or email, within 45 days, the personal information in a portable form so that the consumer can easily send it to another business.
While a business may choose to deliver personal information at any time, it is required to respond to the same consumer only twice a year. If personal information is collected for one-time only use and that information is not intended to be kept by the business or sold by the business, or linked to any other personal information of that user, then the business doesn't have to retain the single-user information in the business database.
Notification to Consumers
Another obligation is to notify the consumer of the specific categories of personal information to be collected and the purposes for which it shall be used. So if a business will save the consumer's information in, for instance, its document management, email, billing or phone systems, it must notify the consumer. If the consumer's personal information will be sold to or shared with a third party, the business must notify the consumer of those facts and the business or commercial reasons behind the collection or sale.
"Do Not Sell My Personal Information"
The legislation specifically refers to the misuse of the personal data of millions of people by Cambridge Analytica (although it doesn't mention Facebook, which shared the information during the 2016 Presidential election). Critically, a consumer has an explicit right to opt-out of such sale or disclosure of personal information. Any third-party that bought personal information can't re-sell it unless the consumer received explicit notice and had the opportunity to opt-out. Websites must have a link to a page entitled "DO NOT SELL MY PERSONAL INFORMATION" which provides clear opt-out instructions, and the consumer cannot be required to set up an account as a condition of opting-out.
Deletion of Personal Information
The European "right to be forgotten" has been included in the new law, too, but with a California spin: if it's necessary for the business to retain the personal information of the consumer, then the business doesn't need to delete it. Necessary retention includes (a) aspects of the consumer relationship: completing a transaction, providing a requested good or service, performing a contract, continuing the ongoing business/consumer relationship; (b) online security or functionality of the business systems; (c) free speech; (d) informed consent for research purposes; (e) compliance with legal obligations.
Back to the practical - 2020 isn't that far away. In order to provide these rights to Californians, step one is to ask for the consumer's state of residence and record and maintain all personal information in a safe place. Training personnel on the obligations of the law and setting up a process to handle the verified requests is key. If your business collects personal data from Californians, then understanding the new law and implementing new protocols are critical to properly managing personal information.
|Goldsmith, Amy B. Partner and Chair of Privacy and Cybersecurity Group||Partner and Chair of Privacy and Cybersecurity Group||212.216.1135|