Skip Navigation
BlackBerry Blog

The Impact of Sweeping Privacy Changes in California

FEATURE / 07.23.19 / Troutman Sanders

California legislators recently passed Assembly Bill 375 - commonly known as the “California Consumer Privacy Act” - which will grant Californians increased control over their personal data.

The Act will have substantial effects on any business that has appreciable interactions with California, in how they store, share, disclose, and engage with consumer data. The Act will be effective as of January 1, 2020.

To comply with the new Act, businesses will need to create internal processes to properly and timely respond to consumer requests for information, requests for deletion, and requests to opt out of having their information sold. Businesses will also need to update their privacy policies and websites to provide the more stringent disclosures and methods for consumers to exercise their newly acquired rights.

Vendor management and controls will also need to be updated to ensure compliance with the limitations provided for in the Act. Businesses heavily reliant upon analyzing data will need to heighten technological capabilities to ensure that personal information is de-identified.

Impact on Technology Companies

For technology companies, this Act may create additional obstacles to innovation that leverage economies of scale across different organizations either through shared platforms or technologies. Consider companies that have created tools to permit other companies to release consumer-facing mobile applications through various APIs and SDKs. While stakeholders often start with a common set of technologies, each partner may ultimately use the tools in their own unique way.

Consumers may argue that the web of privacy policies may ultimately need to be reconciled amongst the stakeholders because the ecosystem is presented to all consumers as one comprehensive application.

Practically, all parties involved in an ecosystem will likely be affected by the conduct of the others, which is a shift from the traditional American digital paradigms. However, the basic tenets are familiar to those of us who have worked with the Fair Credit Reporting Act and other statutory schemes that build off of the Fair Information Privacy Principles.

Partners and vendors will need to be carefully vetted prior to engagement by business teams and legal counsel. Each involved party will need to understand the data that the others are collecting, sharing, and selling, and obtain representations and warranties in their agreements to protect itself from a consumer class action or regulatory enforcement.

Additionally, many contractual provisions such as licensing of data and indemnity will become greater points of contention in business-to-business deals and should be carefully discussed and reviewed with legal counsel.

Act Summary and Analysis

Below is our summary and analysis of the Act:

What is “Personal Information”?

Effectively adds the following categories of information:

  • Records of personal property, products, or services, and “consuming histories or tendencies”;
  • Biometric data;
  • Clickstream and “other electronic network activity information”;
  • Geolocation data;
  • Consumer sensory information;
  • Professional or employment-related information;
  • Educational information not publicly available;
  • “Inferences drawn” from personal information.

Does not include “public information” and “de-identified information.” But public information does NOT include: (1) information that is used in a way not compatible with its original purpose, or (2) de-identified or aggregate information.

When Is Personal Information “De-Identified”?

Personal information is not considered “de-identified” unless the business (1) undertakes technical and business processes to prevent re-identification, (2) has processes to prevent inadvertent release of de-identified information, and (3) makes no attempt to re-identify the information

Consent and Proportionality

Adds the concept of proportionality (i.e., “reasonably necessary”) to the definition of “business purpose,” which must have been permitted.

What Is “Selling” of Personal Information?

“Selling” personal information includes “releasing, disclosing, disseminating, making available” for “valuable consideration.” Does not include third party processors who receive that information for only processing.

Consumers’ Right to Request

Collectors – (1) Consumers have right to request categories of information collected, (2) from whom it was collected, (3) the specific business purposes for which it was collected, and (4) with whom it is shared.

Sellers – (1) Consumers have right to request categories of information sold, and (2) to whom it was sold. “Sellers” appear to be also “collectors.”

Both may require a verifiable request. Certain exceptions to the above apply for truly “one time” uses.

Consumers’ Right to Delete Records

Businesses that receive verifiable requests from consumers to delete their personal information, must delete, and direct any service providers to delete, such information. Compliance is not required if it is necessary for the business or service provider to maintain the personal information (such as for legal, security, or transactional needs).

Response In a “Readily [Machine] Useable Format”

Disclose and deliver required information to consumer within 45 days in writing and delivered through consumer’s account, or by mail or electronically at consumer’s option if consumer does not maintain account, “in a readily useable format that allows consumer to transmit this information from one entity to another entity without hindrance.”

Forms of Disclosure

Contains express form requirements for disclosures, including for opt-out notices and online webforms and links.

Consumers’ “Right to Say No,” And Opt-Outs & Opt-Ins

Consumers have a right to say no to the sale of their information at any time. Collectors have to provide an opt-out notice first before consumer information may be shared. Sellers have to obtain an “explicit notice” before they can sell information.

Minors under 16-years of age must “opt-in.”

Seller must provide clear and conspicuous link on homepage to allow consumer to opt out of sale of personal information.

Clearer exceptions for: (1) completion of the business purpose with the consumer, (2) security and debugging purposes, and (3) comply with a legal purpose.

Requirement of Privacy Statement

A privacy statement that describes:

(1) a description of consumers’ rights and the methods of submitting requests;
(2) a list of categories of information collected;
(3) a list of categories of information disclosed;
(4) a list of categories of information sold.

Discriminatory Use of Personal Information Prohibited

Requirement that business not discriminate against consumers for exercising their rights under the title, including by:

(1) Denying goods or services;
(2) Charging different prices or imposing penalties;
(3) Providing a different quality of service;
(4) Suggesting the above;

…unless the above is related to differences resulting from “the value provided to the consumer by the consumer’s data.”

Business may offer financial incentives to consumers, however, to obtain their personal information. But the practices for this entire subsection may not be “unjust, unreasonable, coercive, or usurious.”

Exceptions

Exceptions:

(1) to comply with federal, state, or local laws;
(2) cooperate with law enforcement;
(3) all activities take place outside of California;
(4) HIPAA exception;
(5) FCRA exception, for generation of a consumer report;
(6) GLBA exception, for activities carried out for that purpose, “if it is in conflict with that law”;
(7) DPPA exception, for activities carried out for that purpose, “if it is in conflict with that law”;
(8) Small businesses not covered by the definition of “business.”

Enforcement

Enforcement:

(1) Private right of action by consumers for between $100-$750 per violation in statutory or actual damages, after 30-notice to cure, if it can be cured.  Consumer will then notify state AG, if any, whose action will terminate consumer action.
(2) State AG enforcement available for stiffer penalties (up to $7,500 per violation).  Also gives prescriptive authority to AG.


About the Authors:

Yanni Lin
Yanni is an attorney in the firm’s San Francisco office, focusing on cybersecurity, privacy, and data breach investigations.

Mark C. Mao
Mark Mao is a former-IT consultant and high-tech “geek,” now lawyer specializing in litigating and advising organizations on technology and privacy issues.

Sheila Pham
Sheila is certified by the International Association of Privacy Professionals (IAPP) as a Certified Privacy Professional in the United States (CIPP/US) and specializes in cyber security and data privacy matters for financial services and technology companies.

Ronald I. Raether, Jr.
Ron understands technology and specializes in responding to data integrity events (breach response) and advising companies on maximizing data use through multiple regulatory environments.

Troutman Sanders

About Troutman Sanders

A Higher Committment to Client Care

At Troutman Sanders, we believe that our value lies in how our highly skilled and integrated team can use its collective knowledge of your organization and of your markets to help you realize your most important goals. Knowledge, and how we use it, is the cornerstone of all of our client relationships.

A law firm is more than its head count, the number of its offices or its specific practice mix. Indeed, beyond the “what” and the “how” is the “why” — the core values that explain why this particular group of dedicated professionals has come together to provide clients with the benefit of their collective experience and expertise. 

For Troutman Sanders, the “why” that binds us together as a firm matters to the kind of clients we excel at representing — clients who demand not only the highest caliber of legal work, but an equally satisfying relationship with their outside counsel.

For us, practicing law is about commitment, and our “higher commitment to client care” is one of the most important values that differentiates us from other law firms. In recognition of our strong client service culture, our firm has been on the BTI Client Service A-Team for 13 consecutive years.