If you received a wave of “We’ve Updated Our Privacy Policy” emails recently, here’s why: California just passed the California Consumer Privacy Act of 2018, effective January 1, 2020, affording California residents unprecedented, expansive data privacy rights.
While the Act is broadly applicable to qualifying businesses, employers should pay special attention to their duties under the Act as described below.
Generally, the Act provides consumers, who are defined as California residents, with five basic rights in relation to their personal information:
Under the Act, personal information is broadly defined as non-publicly available “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The Act goes on to list a variety of specific types of information or data that falls within this broad definition.
The Act is designed to change how businesses collect and sell consumers’ personal information. It requires that businesses make certain disclosures to consumers via their privacy policies or at the time the personal data is collected.
Businesses that sell consumer data to third parties must disclose that practice and give consumers the right to opt out by supplying a link titled, “Do Not Sell My Personal Information.” For consumers younger than the age of 16, a business must not sell their personal information without that consumer’s affirmative consent, and for consumers younger than the age of 13, without the affirmative consent of the consumer’s parent or guardian.
Consumers also have the right to request specific information from businesses, including what personal information a business has collected about them, where it was sourced from, what it is being used for, whether it is being disclosed or sold, and to whom it is being disclosed or sold. Under the Act, businesses must provide at least two methods for consumers to submit requests for disclosure, including, minimally, a toll-free telephone number and website. Businesses will have to disclose the requested information within 45 days of receipt of the consumer’s request, free of charge.
The Act will apply to every business that collects and sells consumer personal information or discloses personal data for a business purpose. However, not all businesses qualify. To fall within the scope of the Act, the business must also meet one of three additional criteria:
The Act can be enforced by the California Attorney General, subject to a 30-day cure period. Businesses that fail to cure could face a penalty of up to $7,500 if the violation is found intentional. Consumers may also bring a private right of action, individually or as a class, if their sensitive personal information is subject to unauthorized access and exfiltration, theft or disclosure as a result of a business’s failure to implement and maintain required reasonable security procedures. Statutory damages range between $100 and $750 per consumer per incident, or actual damages, whichever is greater.
While the Act is defined to protect California residents, it has a more expansive reach, since many American companies in some manner process data regarding consumers in California. Regardless of whether your business is physically located in California, if you possess personal data from any Californian (employees or otherwise), those individuals’ data is subject to protection under the Act.
Given the size of California, this means that numerous companies will be affected. If you are such a company, you should be aware of these requirements and train your appropriate personnel accordingly.
Consumer privacy remains a hot topic, and employers are well advised to review their existing privacy policies for compliance with applicable laws.