California legislators recently passed Assembly Bill 375 - commonly known as the “California Consumer Privacy Act” - which will grant Californians increased control over their personal data.
The Act will have substantial effects on any business that has appreciable interactions with California, in how they store, share, disclose, and engage with consumer data. The Act will be effective as of January 1, 2020.
To comply with the new Act, businesses will need to create internal processes to properly and timely respond to consumer requests for information, requests for deletion, and requests to opt out of having their information sold. Businesses will also need to update their privacy policies and websites to provide the more stringent disclosures and methods for consumers to exercise their newly acquired rights.
Vendor management and controls will also need to be updated to ensure compliance with the limitations provided for in the Act. Businesses heavily reliant upon analyzing data will need to heighten technological capabilities to ensure that personal information is de-identified.
Impact on Technology Companies
For technology companies, this Act may create additional obstacles to innovation that leverage economies of scale across different organizations either through shared platforms or technologies. Consider companies that have created tools to permit other companies to release consumer-facing mobile applications through various APIs and SDKs. While stakeholders often start with a common set of technologies, each partner may ultimately use the tools in their own unique way.
Consumers may argue that the web of privacy policies may ultimately need to be reconciled amongst the stakeholders because the ecosystem is presented to all consumers as one comprehensive application.
Practically, all parties involved in an ecosystem will likely be affected by the conduct of the others, which is a shift from the traditional American digital paradigms. However, the basic tenets are familiar to those of us who have worked with the Fair Credit Reporting Act and other statutory schemes that build off of the Fair Information Privacy Principles.
Partners and vendors will need to be carefully vetted prior to engagement by business teams and legal counsel. Each involved party will need to understand the data that the others are collecting, sharing, and selling, and obtain representations and warranties in their agreements to protect itself from a consumer class action or regulatory enforcement.
Additionally, many contractual provisions such as licensing of data and indemnity will become greater points of contention in business-to-business deals and should be carefully discussed and reviewed with legal counsel.
Act Summary and Analysis
Below is our summary and analysis of the Act:
What is “Personal Information”?
Effectively adds the following categories of information:
Does not include “public information” and “de-identified information.” But public information does NOT include: (1) information that is used in a way not compatible with its original purpose, or (2) de-identified or aggregate information.
When Is Personal Information “De-Identified”?
Personal information is not considered “de-identified” unless the business (1) undertakes technical and business processes to prevent re-identification, (2) has processes to prevent inadvertent release of de-identified information, and (3) makes no attempt to re-identify the information
Consent and Proportionality
Adds the concept of proportionality (i.e., “reasonably necessary”) to the definition of “business purpose,” which must have been permitted.
What Is “Selling” of Personal Information?
“Selling” personal information includes “releasing, disclosing, disseminating, making available” for “valuable consideration.” Does not include third party processors who receive that information for only processing.
Consumers’ Right to Request
Collectors – (1) Consumers have right to request categories of information collected, (2) from whom it was collected, (3) the specific business purposes for which it was collected, and (4) with whom it is shared.
Sellers – (1) Consumers have right to request categories of information sold, and (2) to whom it was sold. “Sellers” appear to be also “collectors.”
Both may require a verifiable request. Certain exceptions to the above apply for truly “one time” uses.
Consumers’ Right to Delete Records
Businesses that receive verifiable requests from consumers to delete their personal information, must delete, and direct any service providers to delete, such information. Compliance is not required if it is necessary for the business or service provider to maintain the personal information (such as for legal, security, or transactional needs).
Response In a “Readily [Machine] Useable Format”
Disclose and deliver required information to consumer within 45 days in writing and delivered through consumer’s account, or by mail or electronically at consumer’s option if consumer does not maintain account, “in a readily useable format that allows consumer to transmit this information from one entity to another entity without hindrance.”
Forms of Disclosure
Contains express form requirements for disclosures, including for opt-out notices and online webforms and links.
Consumers’ “Right to Say No,” And Opt-Outs & Opt-Ins
Consumers have a right to say no to the sale of their information at any time. Collectors have to provide an opt-out notice first before consumer information may be shared. Sellers have to obtain an “explicit notice” before they can sell information.
Minors under 16-years of age must “opt-in.”
Seller must provide clear and conspicuous link on homepage to allow consumer to opt out of sale of personal information.
Clearer exceptions for: (1) completion of the business purpose with the consumer, (2) security and debugging purposes, and (3) comply with a legal purpose.
Requirement of Privacy Statement
A privacy statement that describes:
(1) a description of consumers’ rights and the methods of submitting requests;
Discriminatory Use of Personal Information Prohibited
Requirement that business not discriminate against consumers for exercising their rights under the title, including by:
(1) Denying goods or services;
…unless the above is related to differences resulting from “the value provided to the consumer by the consumer’s data.”
Business may offer financial incentives to consumers, however, to obtain their personal information. But the practices for this entire subsection may not be “unjust, unreasonable, coercive, or usurious.”
(1) to comply with federal, state, or local laws;
(1) Private right of action by consumers for between $100-$750 per violation in statutory or actual damages, after 30-notice to cure, if it can be cured. Consumer will then notify state AG, if any, whose action will terminate consumer action.
About the Authors:
Yanni is an attorney in the firm’s San Francisco office, focusing on cybersecurity, privacy, and data breach investigations.
Mark C. Mao
Mark Mao is a former-IT consultant and high-tech “geek,” now lawyer specializing in litigating and advising organizations on technology and privacy issues.
Sheila is certified by the International Association of Privacy Professionals (IAPP) as a Certified Privacy Professional in the United States (CIPP/US) and specializes in cyber security and data privacy matters for financial services and technology companies.
Ronald I. Raether, Jr.
Ron understands technology and specializes in responding to data integrity events (breach response) and advising companies on maximizing data use through multiple regulatory environments.