While the world*** has been poring over the voluminous rules of the European’s new General Data Protection Regulations that went into effect May 25th (and don’t freak out if you’re not in compliance yet – most of the world isn’t), a revolution was brewing in California, and now the California Consumer Privacy Act of 2018 will go into effect January 1, 2020.
***I realize I use the word “world” carelessly. In the ranking of headlines, consumer data protection has probably only broken the top 5 three or four times this year. But in my own bubble, the GDPR has been all there is since about April 15th. So forgive this lawyer’s myopia.
The story of how this legislation came about is pretty fascinating – a San Francisco (real estate) developer named Alistair Mactaggart was at a cocktail party talking to a Google (software) developer who told him that people would be freaked if they new how much Google knew about them.
This didn’t sit well with Mactaggart, who decided to fund a drive to get enough petition signatures to put a privacy initiative on the voting ballot during the upcoming U.S. Mid-term elections in November. (In California, initiatives** are occasionally voted on directly by the population, instead of being debated and passed by the legislature). He got 600,000 signatures, more than needed. His initiative was apparently pretty scary to the People Who Hold All Your Data in Silicon Valley, and they were gearing up for a big fight. (Facebook evidently bowed out, since after Cambridge Analytica, it might not be the best PR move for them to be actively fighting against privacy laws). So MacTaggart said to the California legislature, “You pass something that will actually protect consumer data before June 28th, and I’ll withdraw my initiative.” (I made that quote up, but that was the gist of the conversation). This was an attractive option to the California lawmakers, who didn’t want to face the wrath of the big data companies if the initiative went through. This was all going on pretty quietly until last weekend, when the lawmakers finally negotiated a deal. It passed the California Assembly unanimously in the early afternoon of June 28th, and Governor Jerry Brown signed the California Consumer Privacy Act of 2018 at about 3 p.m. Mountain Time that day, an hour or so before the deadline MacTaggart set.
**an earlier version of this post called incorrectly used the word “referendum” instead of “initiative.” This has been amended after a helpful lesson on California lawmaking by my friend and colleague, LA lawyer Ken Wilton.
The press reports up to the passing seemed to indicate that this legislation was a pretty watered-down version of MacTaggart’s initiative, and in many ways it is more about knowledge than about actual control over what companies can collect. But there is a doozy in there. We’ll get to it in a minute.
First, who is going to have to comply with the CCPA? The Act defines “businesses” as those entities, including sole proprietorships, who have more than 25 million in annual revenue, processes the personal information of (in total, by collecting, buying or otherwise receiving, or selling or sharing) fifty thousand consumers, households, or devices, OR makes more than fifty percent of its revenue from selling consumer personal information. The definition of “personal information” is incredibly broad, and essentially covers every piece of identifying information or behavioral information that is not publicly available, if it “could reasonably be linked, directly or indirectly, with a particular consumer or household.”
This limited definition of “business” means that not every small business has to worry about this, but all the ones who make more than 25 million in revenue, have a lot of customer records, or are in the data selling business will. And this does not apply only to businesses in California. The law is meant to protect California residents, so businesses that have customers in California have to pay attention to this, whether they are in the state or not. Also, from a consumer prospective, this law may seem pretty attractive. When people in the rest of the country find out that Californians can keep Facebook from selling their data, they’re going to want that right too, and they are going to start calling their legislators. So I expect this to spread fairly quickly – say 2 -3 years. We’ll check back in 2021 and see how right I am.
But if CCPA applies to your business’s collection and use of consumer personal information, what does it mean?
• The CCPA gives Californians the right to know specifically what is being collected, all the purposes for which it is being used, and the categories of third parties with whom each category of personal information is being shared and sold (although the law does not require businesses to disclose the specific identities of those third parties). It allows them to ask for this information twice a year.
• It also allows them to ask for their information to be deleted, to the extent it has not been otherwise used or bundled in non-identifiable form (aggregated data sets, for example).
• Companies can not charge to comply with these requests, and have 45 days to do so. If a consumer asks for their data, it has to be provided in a reasonably readable form.
The good news is that if you’re in the process of complying with the GDPR, you’re going to have to have processes in place for all of that anyway, so you may be in better shape for this than you think.
BUT HERE’S THE DOOZY:
If businesses sell personal information, they have to tell consumers they do so (so far so good). But they also have to give them the right to opt-out at any time, and they have to:
Provide a clear and conspicuous link on the business’ Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt out of the sale of the consumer’s personal information. A business shall not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information.
Yes. You’re going to have to put a new page on your website, along with a big box on your home page, that says “Do Not Sell My Personal Information” and allows customers to opt-out. You also have to include this language in your privacy policy. Moreover, you can not tell customers who opt-out that they can not use your service. You also can not charge them more, except to the extent the difference in price is “reasonably related to the value provided to the consumer by the consumer’s data.” Someone will argue that “the value provided to the consumer” is in fact access to the service on the site, but I expect that argument will go nowhere given the other language in that section of the Act. Businesses are allowed to “incentivize” the sharing of data to be sold, if you get consent for that, but only if the “incentive” is not “coercive.”
It’s time for a complete review, and maybe overhaul, of the way your business and your clients’ businesses treat consumer data. I’ve worked up a very general template for a universal step-by-step data protection plan, which you are free to use to get started, but which may need serious beefing up, especially if your business touches health data, financial data, or children’s data.
1. Know what information you collect, and where you keep it. If you keep it in third party services (like Salesforce, Google contacts, or Dropbox), make a list of those third parties and what information each one has.
Businesses have time to prepare for this. It’s also very possible there will be some changes to the legislation before it goes into effect in 2020, which may relieve some of these obligations but at the same time makes it harder to be proactive. If changes come, we’ll tell you about them. And we’re here to help you get ready.