An In-depth and Easy-to-Understand Interpretation of California's 2018 Consumer Privacy Act.
2024-09-27 01:06:03
For clients conducting business in California and collecting personal information of California residents, if this law applies to your company, it is advisable to familiarize yourself with California's new 2018 Consumer Privacy Act (hereinafter referred to as "the Act") and begin compliance preparations.
Who should prepare for the Act?
The Act applies to "covered businesses" defined as those that (i) conduct business in California, (ii) collect "personal information" of California consumers, and (iii) meet one or more of the following conditions: (A) annual gross revenues exceeding $25 million; (B) purchase, receive, sell, or share personal information of 50,000 or more California consumers, households, or devices for commercial purposes; or (C) derive 50% or more of their annual revenues from selling California consumers' personal information.
The Act defines "personal information" as "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." Under this definition, personal information encompasses almost any data a business might collect or maintain about a consumer or a consumer's household.
When should businesses start preparing for the Act?
It is particularly noteworthy that the Act has a 12-month look-back provision. After the Act takes effect on January 1, 2020, consumers will have the right to request all data collected about them over the past 12 months (as early as January 1, 2019). Covered businesses subject to the Act need to take immediate action to prepare for compliance.
What happens if a company does not comply with the Act?
If a company does not comply with the Act, the California Attorney General can impose civil penalties of between 7,500 for each violation. The Act also stipulates statutory damages of 750 per consumer per incident or actual damages, whichever is greater, for data breaches resulting from the company's failure to implement reasonable security measures appropriate to the nature and sensitivity of the consumer personal information it holds.
How should companies prepare for compliance with the Act?
Data Mapping for Consumer Rights to Know and Access
Companies should begin data mapping and establish data tracking systems as early as possible in 2019. If a consumer requests a report on their personal information under the Act, the company has 45 days to prepare a comprehensive report on their personal information, including what information was collected, the purpose of collection, whether the information has been sold, and if so, the information of the buyers (including names and addresses). Consumers are entitled to make such requests twice a year. The Act also requires companies to develop methods to verify the legitimacy of such consumer requests.
Privacy Terms for Consumers' Rights to "Opt-Out" or "Delete Personal Information"
Companies need to provide consumers with the option "not to share data with third parties," known as the "opt-out" right. For minors under 16, the Act requires companies to obtain explicit consent from the consumer before selling their personal information to third parties (and parental or guardian consent for those under 13). Companies must also inform consumers of their right to delete personal information collected and maintained by the company and provide information on how to submit such requests.
Therefore, companies may need to review their system mechanisms to ensure they allow consumers to opt-out of information sharing and delete their personal information data. If consumers choose to exercise their rights under the Act, such as the right to opt-out or delete personal information, companies cannot discriminate against consumers.
Ensuring Information Security Compliance with Legal Requirements
The Act requires businesses to implement and maintain reasonable security procedures and practices appropriate to the sensitivity of the personal information they handle. As mentioned above, under the Act, inadequate information security measures could expose companies to the risk of private lawsuits by consumers in the event of a data breach.
Reviewing and Updating Third-Party Agreements
If a company uses third-party service providers to process consumers' personal information, it may need to review and update agreements with these providers to ensure compliance with the Act.
Updating Privacy Policies
Companies need to revise their privacy policies to include the consumer rights described in the Act and methods for exercising these rights. Additionally, note that the Act requires privacy policies to be updated at least every 12 months.
Please also note that even companies that have recently revised their privacy policies for compliance with the EU General Data Protection Regulation (GDPR) may need to further update their privacy policies as described above to achieve compliance with the Act.
If you would like to learn more about the Act or need assistance in updating your company's privacy policy, please feel free to contact us.