Complying with California’s Consumer Privacy Act of 2018
If you received a wave of “We’ve Updated Our Privacy Policy” emails recently, here’s why: California just passed the California Consumer Privacy Act of 2018, effective January 1, 2020, affording California residents unprecedented, expansive data privacy rights.
While the Act is broadly applicable to qualifying businesses, employers should pay special attention to their duties under the Act as described below.
Generally, the Act provides consumers, who are defined as California residents, with five basic rights in relation to their personal information:
- The right to know: The right to know what personal information is being collected about them, whether their personal information is sold or disclosed, and to whom.
- The right to deletion: The right to request deletion of personal information from business servers and service providers.
- The right to opt out: The right to say no to the sale of personal information.
- The right to access: The right to access their personal information.
- The right to equal service: The right to equal service and price, even if they exercise their privacy rights.
Under the Act, personal information is broadly defined as non-publicly available “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The Act goes on to list a variety of specific types of information or data that falls within this broad definition.
How Will the Act Work?
The Act is designed to change how businesses collect and sell consumers’ personal information. It requires that businesses make certain disclosures to consumers via their privacy policies or at the time the personal data is collected.
Businesses that sell consumer data to third parties must disclose that practice and give consumers the right to opt out by supplying a link titled, “Do Not Sell My Personal Information.” For consumers younger than the age of 16, a business must not sell their personal information without that consumer’s affirmative consent, and for consumers younger than the age of 13, without the affirmative consent of the consumer’s parent or guardian.
Consumers also have the right to request specific information from businesses, including what personal information a business has collected about them, where it was sourced from, what it is being used for, whether it is being disclosed or sold, and to whom it is being disclosed or sold. Under the Act, businesses must provide at least two methods for consumers to submit requests for disclosure, including, minimally, a toll-free telephone number and website. Businesses will have to disclose the requested information within 45 days of receipt of the consumer’s request, free of charge.
What Businesses Must Comply With the Act?
The Act will apply to every business that collects and sells consumer personal information or discloses personal data for a business purpose. However, not all businesses qualify. To fall within the scope of the Act, the business must also meet one of three additional criteria:
- Have $25 million or more in annual revenue; or
- Possess the personal data of more than 50,000 “consumers, households, or devices;” or
- Earn more than half of its annual revenue selling consumers’ personal data
How Will the Act Be Enforced?
The Act can be enforced by the California Attorney General, subject to a 30-day cure period. Businesses that fail to cure could face a penalty of up to $7,500 if the violation is found intentional. Consumers may also bring a private right of action, individually or as a class, if their sensitive personal information is subject to unauthorized access and exfiltration, theft or disclosure as a result of a business’s failure to implement and maintain required reasonable security procedures. Statutory damages range between $100 and $750 per consumer per incident, or actual damages, whichever is greater.
Implications for Employers
- The Act applies to all California residents, so although the Act uses the term “consumers,” privacy obligations extend not only to the general public but also to employees. Employers should proceed with the understanding that their employees are protected under this Act.
- The Act specifically defines “personal information” to include professional and employment-related information. Therefore, employers should take particular care to be in compliance in their handling of employee records.
- Businesses will need to update their privacy policies with information about opting out with a link to the opt-out page and information required by the right to know. Employers should ensure these updates to their privacy policies and information about opting out are shared with their employees.
- Businesses will need to be able to identify and isolate all consumer data, if any, they sell to ensure no data of a consumer who has opted out is sold.
- Businesses will need to offer a toll-free number and a website for individuals to opt out.
- Finally, as a best practice, training programs should be designed and implemented for employees who are responsible for handling consumer inquiries about the business’s privacy practices and who are responsible for employment and other records that constitute personal information.
While the Act is defined to protect California residents, it has a more expansive reach, since many American companies in some manner process data regarding consumers in California. Regardless of whether your business is physically located in California, if you possess personal data from any Californian (employees or otherwise), those individuals’ data is subject to protection under the Act.
Given the size of California, this means that numerous companies will be affected. If you are such a company, you should be aware of these requirements and train your appropriate personnel accordingly.
Consumer privacy remains a hot topic, and employers are well advised to review their existing privacy policies for compliance with applicable laws.