In a surprising twist, the California legislature rushed last week to pass one of the most comprehensive privacy laws in the country. The bill was introduced only a week prior, and within hours of passage, it was signed into law by Governor Jerry Brown. As strict as the act is, it was enacted to avoid an even more restrictive ballot initiative, which the initiative's sponsor agreed to withdraw.
The California Consumer Privacy Act of 2018 requires covered businesses to make new disclosures to consumers about their data collection, use, and sharing practices; allows consumers to opt out of certain data sharing with third parties; and provides a new cause of action for consumers and the California Attorney General to bring lawsuits against companies that suffer data breaches. In some respects, the act may well go beyond the requirements of the European Union's General Data Protection Regulation (GDPR), which recently came into force. The act takes effect on January 1, 2020, and, without revisions, may upend the ad-supported business model that underlies much of the modern digital economy.
As a consequence of its accelerated legislative process, the act contains a number of errors and contradictions, and does not address directly how it will interrelate with existing California privacy laws that overlap with some of its provisions. Consequently, numerous crucial questions remain open. Generally speaking, in passing the act, the California legislature intended to create five new rights for Californians. These include the rights:
To create these rights, the act includes several new obligations for businesses, as well as a new cause of action for data breaches. Importantly, the act is broader in scope than existing California privacy laws like the California Online Privacy Protection Act of 2003 (CalOPPA), as it applies to all business activities, whether online or offline.
Coverage
The act applies to for-profit entities doing business in California that meet specified criteria. For the act to apply to a business, the business must collect personal information of California consumers, determine the purposes and means of processing that personal information solely or jointly with others, and either:
The act may apply to a significant—and potentially unexpected—number of companies, particularly with the act's broad definitions of "personal information" and "sell," as explained in further detail below.
Notice Provisions
The act requires businesses, at or before the point of collection, to inform consumers of the categories of personal information that the business collects and the purposes for which the business will use the information. The act also requires businesses that "sell" consumers' personal information to provide notice to consumers and offer the consumer the ability to opt out of that sale, as discussed below. Businesses must also, either in a privacy policy or a California-specific notice, disclose consumers' rights under the act and identify the categories of third parties with whom the business will share consumers' personal information.
Consumer Information, Access, and Deletion Requests
The act provides consumers with a right to request the categories and specific pieces of personal information that the business has collected, and also to request that the business delete all of the consumer's personal information. Businesses are not obligated to delete data retained for certain purposes, including retention for internal uses that are reasonably aligned with the expectations of the consumer based on the consumer's relationship with the business and retention for the exercise of free speech or other rights provided for by law.
Upon a consumer's request, a business must disclose:
Similar obligations exist for the sale of data. Businesses must provide consumers with this information free of charge and, where relevant, in a portable and readily useable format.
Opt-Out Rights
The act provides consumers with the right, at any time, to opt out of having their information "sold" to third parties. Businesses that "sell" personal information must notify consumers of their right to opt out by providing a clear and conspicuous link on their website homepage or in their app titled "Do Not Sell My Personal Information." While many businesses may not believe they are selling consumers' personal information under the traditional meaning of "sell," the act defines "sell" or "sold" extremely broadly to cover any disclosure of personal information for monetary or other valuable consideration. Disclosures to service providers do not constitute a "sale" and therefore do not trigger the obligation to provide an opt-out.
For consumers under the age of 16, this opt-out is reversed and becomes an opt-in. Specifically, businesses may not sell the personal information of consumers if the business has actual knowledge that the consumer is under 16 years of age. Businesses may obtain the consumer's consent if the consumer is between 13 and 16, or the parent's consent if younger than 13.
Exactly how broadly the concept of "selling" consumers' personal information will be interpreted is an open question, the answer to which will have far-reaching consequences.
Fee for Service Permitted (but Discrimination Prohibited)
The act states that businesses may not discriminate against a consumer by charging a different price or rate, or providing a different level or quality of good or service, because the consumer exercised any rights under the act. Nevertheless, the act carves out an exception where the difference is "reasonably related to the value provided to the consumer by the consumer's data." Exactly what this means and how it can be calculated are not explained. The answer to this critical open question will likely dictate whether and how the ad-based Internet economy can operate in the future.
A business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information.
Cause of Action for a Breach
One of the most notable aspects of the act is the creation of a private right of action for consumers whose personal information is subject to a data breach. Under the act, any consumer whose information is subject to unauthorized access and exfiltration, theft, or disclosure as a result of a business' violation of the duty to implement and maintain reasonable security procedures and practices may institute a civil action. Importantly, the Attorney General may bring an action instead of the consumer, or may simply notify the consumer that the consumer shall not proceed with the action. If a consumer overcomes these hurdles, he or she may initiate an action to recover statutory damages between $100 and $750 per consumer per incident, or actual damages, whichever is greater.
Other Aspects and Impact
The act's definition of "personal information" is very broad, and could be interpreted to go well beyond most other U.S. privacy legislation and the GDPR. Under the act, "personal information" is defined as "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." The definition expressly includes Internet Protocol address, biometric information, internet activities, geolocation information, employment-related information, information about commercial purchases, audio, electronic, visual, thermal, and olfactory information, as well as "characteristics of protected classifications under California or federal law," and "inferences drawn from [any other personal information] to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes."
The act does not make clear how it interrelates with other California privacy laws, such as CalOPPA or California's Shine the Light law, though the act does state that in the event of a conflict between other laws and the act, the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control. The act does not apply to data that is already subject to regulation under certain federal laws, including the Fair Credit Reporting Act (FCRA), Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), or Driver's Privacy Protection Act (DPPA). Because the act touches on the collection and sharing of data from minors under 13, affected businesses will need to consider how the act interacts with the federal Children's Online Privacy Protection Act (COPPA).
Businesses have 30 days to cure alleged noncompliance after being notified of it. The act prohibits businesses from creating contracts or agreements that purport to waive a consumer's rights under the act. Business may wish to evaluate whether mandatory arbitration and class action waiver clauses in their terms of service cover activities contemplated by the act, and ensure that such clauses are enforceable.
The act may be challenged in a number of ways, including on the basis that it is unconstitutional on First Amendment grounds or void for vagueness. Legislators have already said they expect to pass "cleanup bills" to correct flaws before the act comes into effect, and industry groups have begun to push for amendments to the legislation. Under the act, businesses may seek the opinion of the Attorney General for guidance on how to comply.
Wilson Sonsini advises companies on privacy and data security issues and will monitor opinions issued by the Attorney General, revisions to the act, and litigation and enforcement pursuant to the act in order to assist clients with compliance with this privacy law shift. For more information, please contact Lydia Parnes, Chris Olsen, Tracy Shapiro, Matt Staples, Edward Holman, or another member of the firm's privacy and cybersecurity practice.