Complying with California’s Consumer Privacy Act of 2018

13 August 2018 Labor & Employment Law Perspectives Blog

If you received a wave of “We’ve Updated Our Privacy Policy” emails recently, here’s why: California just passed the California Consumer Privacy Act of 2018, effective January 1, 2020, affording California residents unprecedented, expansive data privacy rights.

While the Act is broadly applicable to qualifying businesses, employers should pay special attention to their duties under the Act as described below.

Generally, the Act provides consumers, who are defined as California residents, with five basic rights in relation to their personal information:

  1. The right to know: The right to know what personal information is being collected about them, whether their personal information is sold or disclosed, and to whom.
  2. The right to deletion: The right to request deletion of personal information from business servers and service providers.
  3. The right to opt out: The right to say no to the sale of personal information.
  4. The right to access: The right to access their personal information.
  5. The right to equal service: The right to equal service and price, even if they exercise their privacy rights.

Under the Act, personal information is broadly defined as non-publicly available “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The Act goes on to list a variety of specific types of information or data that falls within this broad definition.

How Will the Act Work?

The Act is designed to change how businesses collect and sell consumers’ personal information. It requires that businesses make certain disclosures to consumers via their privacy policies or at the time the personal data is collected.

Businesses that sell consumer data to third parties must disclose that practice and give consumers the right to opt out by supplying a link titled, “Do Not Sell My Personal Information.” For consumers younger than the age of 16, a business must not sell their personal information without that consumer’s affirmative consent, and for consumers younger than the age of 13, without the affirmative consent of the consumer’s parent or guardian.

Consumers also have the right to request specific information from businesses, including what personal information a business has collected about them, where it was sourced from, what it is being used for, whether it is being disclosed or sold, and to whom it is being disclosed or sold. Under the Act, businesses must provide at least two methods for consumers to submit requests for disclosure, including, minimally, a toll-free telephone number and website. Businesses will have to disclose the requested information within 45 days of receipt of the consumer’s request, free of charge.

What Businesses Must Comply With the Act?

The Act will apply to every business that collects and sells consumer personal information or discloses personal data for a business purpose. However, not all businesses qualify. To fall within the scope of the Act, the business must also meet one of three additional criteria:

  1. Have $25 million or more in annual revenue; or
  2. Possess the personal data of more than 50,000 “consumers, households, or devices;” or
  3. Earn more than half of its annual revenue selling consumers’ personal data

How Will the Act Be Enforced?

The Act can be enforced by the California Attorney General, subject to a 30-day cure period. Businesses that fail to cure could face a penalty of up to $7,500 if the violation is found intentional. Consumers may also bring a private right of action, individually or as a class, if their sensitive personal information is subject to unauthorized access and exfiltration, theft or disclosure as a result of a business’s failure to implement and maintain required reasonable security procedures. Statutory damages range between $100 and $750 per consumer per incident, or actual damages, whichever is greater.

Implications for Employers

  • The Act applies to all California residents, so although the Act uses the term “consumers,” privacy obligations extend not only to the general public but also to employees. Employers should proceed with the understanding that their employees are protected under this Act.
  • The Act specifically defines “personal information” to include professional and employment-related information. Therefore, employers should take particular care to be in compliance in their handling of employee records.
  • Businesses will need to update their privacy policies with information about opting out with a link to the opt-out page and information required by the right to know. Employers should ensure these updates to their privacy policies and information about opting out are shared with their employees.
  • Businesses will need to be able to identify and isolate all consumer data, if any, they sell to ensure no data of a consumer who has opted out is sold.
  • Businesses will need to offer a toll-free number and a website for individuals to opt out.
  • Finally, as a best practice, training programs should be designed and implemented for employees who are responsible for handling consumer inquiries about the business’s privacy practices and who are responsible for employment and other records that constitute personal information.

While the Act is defined to protect California residents, it has a more expansive reach, since many American companies in some manner process data regarding consumers in California. Regardless of whether your business is physically located in California, if you possess personal data from any Californian (employees or otherwise), those individuals’ data is subject to protection under the Act.

Given the size of California, this means that numerous companies will be affected. If you are such a company, you should be aware of these requirements and train your appropriate personnel accordingly.

Consumer privacy remains a hot topic, and employers are well advised to review their existing privacy policies for compliance with applicable laws.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Related Services