This article was originally published by Frankfurt Kurnit Klein+Selz.
On the heels of the European General Data Protection Regulation (GDPR), California has now passed a digital privacy law that gives consumers more control over their personal information online. The California Consumer Privacy Act of 2018 is unprecedented in the United States in that it applies European-level compliance obligations. The new law—which applies to any organization doing business in California and annually handling the information of more than 50,000 consumers, households, or devices—includes new disclosure requirements, consumer rights, training obligations, potential penalties for noncompliance, and more. It will take effect on January 1, 2020. Here are some of the key provisions:
- Right to Transparency – Similar to the GDPR, the law creates a right to transparency regarding personal information. The law defines personal information very broadly, also like the EU definition, to include information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Examples of personal information include unique personal identifier, online identifier, Internet Protocol address, internet or other electronic network activity information (including browsing history, search history, and information regarding a consumer’s interaction with an internet Web site, application, or advertisements), geolocation data, and inferences drawn from any information identified in this subdivision to create a profile. The law requires a business to inform consumers as to the categories of personal information to be collected and the purposes for which the categories shall be used. In addition, the business must disclose the consumer’s right to request deletion; that personal information may be sold; and that consumers have the right to opt out of the sale.
- Access Right – The law provides consumers with the right to request that a business disclose to the consumer the categories and specific pieces of personal information that the business has collected. Upon the request, the business must disclose: (1) the categories of personal information it has collected about that consumer; (2) the categories of sources from which the personal information is collected; (3) the business or commercial purpose for collecting or selling personal information; (4) the categories of third parties with whom the business shares personal information; and (5) the specific pieces of personal information it has collected about the consumer. While this right is similar to the access right under the GDPR, it also adds specific requirements regarding the sale of personal information.
- Data Portability Right – The law provides consumers with the right to obtain their personal information in a portable and, to the extent technically feasible, in a readily useable format that allows the consumer to transmit the information to another entity without hindrance. Again, this right is similar to the right under the GDPR.
- Deletion Right – The law provides consumers with a right to request that a business delete any personal information that the business has collected from the consumer. Note that the deletion right relates to personal information “the business has collected from the consumer” while the access right relates to personal information “the business has collected.” The deletion right is subject to specific exceptions set forth in 1798.105(d). Again, this right is similar to the right under the GDPR.
- Data Sale/Disclosure Right – This right is not provided by the GDPR. The law provides consumers with the right to request that a business that sells the consumer’s personal information or discloses it for business purposes, disclose: (1) the categories of personal information that the business collected about the consumer; (2) the categories of personal information that the business sold about the consumer and the categories of third parties to whom the personal data was sold, by category or categories of personal information for each third party to whom the personal information was sold; and (3) the categories of personal information that the business disclosed about the consumer for a business purpose. Note that the law creates separate rights regarding personal information sold and personal information disclosed for business purposes.
The term “sell” is broadly defined to include selling, renting, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration. Exception: “sell” does not include when a consumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party, provided that the third party does not also sell the personal information; however, the law specifies that hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer’s intent to interact with a third party.
The term “business purpose” means the use of personal information for the business’ or a service provider’s operational purposes, or other notified purposes, including auditing, detecting security incidents, debugging, short term transient use (including contextual customization of ads shown as part of the same interaction), performing services on behalf of the business or service provider (including providing analytic services), undertaking internal research, and safety.
The distinction between sell and disclosure for business purpose is important because it impacts the opt-out right discussed below.
- Right to Opt-Out – A consumer shall have the right at any time to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. The third party also has obligations. A third party shall not sell personal information about a consumer that has been sold to the third party by a business unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt out. The business may request opt-in after 12 months.
- Right to Opt-in for Children under Age 16 – A business needs opt-in consent to sell the personal information of a consumer where it has actual knowledge the consumer is under 16. The opt-in consent must come from the consumer if between 13 and 16. The opt-in consent must come from the parent if the consumer is under 13.
- Deidentified or Aggregate Consumer Information – The law provides an exception that it shall not restrict a business’s ability to collect, use, retain, sell, or disclose consumer information that is deidentified or aggregated.
- Financial Incentives- Another key difference between the GDPR and the new California law is that under the new California law a business may offer financial incentives for the collection, sale, and deletion of personal information. The business shall notify consumers about the financial incentives and obtain opt-in consent. The business shall not discriminate against consumers that do not opt-in or who exercise their rights.
- Violations – There is no private right of action (except in connection with a security breach, which is narrowly defined). The State Attorney General may bring actions for civil penalties of up to $7,500 per violation.
If you have questions about the California Consumer Privacy Act of 2018, about GDPR, or about any other privacy and data security issues, please contact Tanya Forsheit at 310 579 9615 or [email protected], Daniel M. Goldberg at 310 579 9616 or [email protected], or any other member of the Frankfurt Kurnit Privacy & Data Security Group.
For more information from the 4A’s on the California Consumer Privacy Act of 2018, please click here.