Hanson Yu, Legal Intern
Federal Trade Commission
On June 3, 2018 California Governor Jerry Brown signed the California Consumer Privacy Act of 2018 (“CPA”). The CPA, which takes effect in January 2020, will give consumers unprecedented control over data that businesses gather on them and imposes significant penalties on businesses that do not comply. The CPA will force companies to establish new protocols that comply with the law’s requirements. Many of the provisions are new to the United States but appear to mirror the EU’s General Data Protection Regulation (GDPR), which went into effect earlier this year.
The CPA will expand consumer data protections across the board. The CPA, which adds sections 1798.100 to 1798.198 to California’s code, operates by broadening the scope of current protections in two important ways. First, the CPA defines “consumer” as a “California resident.” This means that non-consumer groups like students, tenants, employees etc. will now count as consumers under the new law. Second, the CPA also expands the definition of personal information to include data indirectly related to individuals, i.e., information like internet history, annual household energy usage, and shopping habits.
Four Requirements that will Change the Privacy Game
The Act spells out four new requirements that businesses must follow regarding the collection and sale of personal information. First, businesses that collect or sell consumer data must disclose:
- categories and specific personal data that they have either collected or sold;
- how they plan to use the data; and
- data that they intend to share with third parties.
Once businesses collect a consumer’s data, they cannot use the information for an unrelated purpose without first notifying the consumer. Businesses are exempt from the disclosure requirement if they collected the data for a one-time transaction and do not otherwise intend to use, sell, or retain it.
Second, California residents may request that businesses delete their personal data. Exceptions include data that is necessary for the business to:
- identify and repair errors that impair functionality;
- protect against security incidents/illegal activity; and
- comply with legal obligations.
Third, consumers must have the option of opting out of having their personal data resold to third parties. Stricter requirements apply to minors: children under the age of 16 must expressly opt-in, and children under the age of 13 need parental consent to opt-in. The CPA also forbids businesses from refusing to provide goods and services to individuals who opt-out. Businesses are free to charge different prices or provide tiered services to individuals based on their chosen privacy preferences.
Fourth, businesses may offer financial incentives to entice consumers to provide personal data, but they must:
- be clear with consumers about all financial incentives;
- present incentives as opt-in decisions; and
- allow consumers the option to opt-out at any time.
Consumers may authorize other consumers (including companies, activists, and other associations) to exercise opt-out rights on their behalf.
Non-Compliance Comes with a Hefty Price Tag
The changes will also affect entities that had previously escaped privacy laws—namely small businesses. The CPA will apply to all businesses that satisfy any one of three requirements:
- reports annual gross revenue in excess of $25 million,
- annually acquires personal information of 50,000 or more California residents, households, or devices, and
- receives 50% or more of its annual revenue from selling consumer data.
This means that even relatively small businesses may find themselves caught in the headwinds because simple day-to-day business operations, e.g., maintaining a website, can quickly accrue large amounts of consumer data. For example, most websites passively capture individual IP addresses, which count as personal information.
Careless businesses may quickly find themselves paying substantial fines:
- For unintentional violations of any provision in the Act, civil actions brought by the California Attorney General may lead to fines of up to $2,500 per violation if the company fails to fix the violation within 30 days of notice.
- For intentional violations, civil actions brought by the California Attorney General may lead to fines of up to $7,500 per intentional violation.
- California residents may bring civil class action suits for leak or theft of consumer data.Damage awards from class actions range from $100 to $750 per consumer.