The (Already) Amended California Consumer Privacy Act of 2018's Dramatic Changes to the Privacy Landscape and What This Means for Businesses

The Backstory to the Dramatic Change to the California Privacy Landscape

California has long been a trailblazer in consumer protection, including in the cyber and privacy spheres. In 1972, the California Constitution was amended to include an explicit and inalienable right to privacy. It was the first state to pass a data breach law and to require website privacy policies.

In this spirit, San Francisco real estate mogul Alastair MacTaggart bankrolled and advocated for a consumer protection initiative that would dramatically augment consumer privacy rights to appear on the ballot in 2018. MacTaggart’s efforts succeeded: He gathered significantly more signatures on his initiative than necessary.  The threat of a broadly written voter referendum or something similar to communicate the concern over the proposition catalyzed swift action by legislators and tech giants who, in only two days, gathered together and drafted the California Consumer Privacy Act of 2018 (CaCPA) as a compromise in lieu of MacTaggart’s proposal. Despite being labeled a “compromise,” CaCPA significantly expands notions in California about what constitutes private data – in light of the increasing presence and power of big data and technology – and what rights consumers have over it.

Amending the Rough Edges

Unsurprisingly, given the quick turnaround of CaCPA, it became apparent that the law as written would require amendments. While the law was passed in June 2018, it will not be enforced until 2020, leaving a window of time for revision. Indeed, amendment efforts were swiftly undertaken. The legislature approved the first round of amendments in August and the governor signed them into law on September 23, 2018. 

What the Amended Law Means for Businesses

CaCPA is making staggering changes to the privacy landscape. A summary of some of the critical provisions of the law, including the most recent round of amendments, appears below.

Who Does CaCPA Apply to?

It is projected that CaCPA will apply to more than 500,000 U.S. companies. Specifically, the law is defined as regulating any for-profit entity that either:

• Makes $25 million in annual revenue;
• Holds the personal data of 50,000 people, households, or devices; or
• Makes at least half of its revenue in the sale of personal data.

What Data Does CaCPA Protect?

The law protects certain consumer data. Protected consumers are limited to natural persons who are California residents. Protected “Personal Information” includes “Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” 

The law, as amended, provides 11 sample categories of the types of data that constitute “Personal Information” if the data can be directly or indirectly tied to a consumer or household. Some of these examples include:

• Identifiers such as a name, address, IP address, etc.;
• Biometric information;
• Geolocational data;
• Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
• Professional or employment-related information;
• Internet or other network activity such as browsing or search history, or other online interactions;
• Behavioral advertising profiles created from inferences drawn of “Personal Information”; and
• Audio, electronic, visual, or similar information.

However, the law exempts application of CaCPA to certain otherwise regulated data (e.g., data regulated by the GLBA, HIPPA, certain clinical trial data, etc.). The amendment also clarifies that the requirements and rights created by the act should not be interpreted in a way that infringes on a business’s ability to comply with federal, state, or local laws, or that conflict with the California Constitution.

What Consumer Rights Are Granted by CaCPA?

CaCPA empowers consumers with the following rights regarding their personal data:

• Knowledge: A business must disclose ­– before or at the time of collection of personal data – the type of data collected, the purpose of collecting it, and the third parties receiving it.  
• Access: Upon an identity-verified consumer request (but no more than twice in 12 months per consumer), a business must disclose what data is collected and how it is being used or shared and (if requested) deliver, free of charge, the consumer’s personal information. If provided electronically, and is technically feasible, it must be in a usable format that allows the consumer to transmit the data to other parties.
• Deletion: A business and its direct service providers must delete from their records personal data unless it is necessary for certain instances of the following: transactions with the consumer, research, free speech purposes, legal obligations, security and prosecution issues, functionality repair issues, and other legitimate internal uses. Businesses that collect a consumer’s personal information must disclose the consumer’s right to delete personal information in a form that is reasonably accessible to the consumer.
• Opt-Out: A consumer can opt out of her data being sold, and a business must put a special “Do Not Sell My Personal Information” button on its website to make it easy to exercise this right.
• Minor Opt-In: Sale of children’s data will require express opt-in, either by the child, if between ages 13 and 16, or by the parent if the child is younger than that.
• No Discrimination: A business must not “discriminate against a consumer” based on the exercising of any of the rights granted in the bill. However, businesses may offer higher tiers of service in exchange for more data if the difference is reasonably related to the value of the consumer’s data. 

What Happens if Businesses Do Not Comply?

The regulatory and privacy actions provided for under the CaCPA should be important to companies, considering the potential statutory damages for a data breach involving a consumer’s nonencrypted or nonredacted personal information – to the extent that the business failed to maintain reasonable security measures – caused the breach. The attorney general may issue civil penalties of up to $7,500 per violation, and a consumer may seek up to $750 per violation in a private action if a business fails to cure the violation within 30 days of notice.

While this law does not go into effect until 2020 and will likely be revised again before then, attorneys advising on, and companies subject to, the European General Data Protection Regulation understand the value of adopting appropriate business practices, policies, and contracts to meet the requirements of the law and to prevent financial and negative PR exposures for violations. This means it is important for businesses to take time to understand and start acting on CaCPA compliance now.