In June 2018 California enacted a new privacy law that adopts some of the requirements of the European Union’s privacy regulations that recently went into effect. The California law goes into effect on January 1, 2020 and will affect a lot of US companies, including many not located in California. The law applies to any company that collects and processes personal information of California residents. For now, small companies that have revenues of less than $25 million per year along with non-profit entities are exempt.
The law defines personal information much more broadly than any other US privacy legislation. Personal information is defined as, “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Using information that just identifies an address is a big expansion of privacy rules since prior rules only considered personal information of residents. The law includes a list of examples of personal data such as Social Security numbers, credit card numbers, and drivers’ license numbers, but goes a lot further and covers things like information captured and tracked by marketing cookies that capture information like IP addresses or information about computers or phones. While the law excludes information that is publicly available, essentially any information a company collects about customers is considered as private.
The new law provides specific rights to consumers:
Disclosure: A business must notify customers about its data collection practices. Companies must disclose the personal information that is being collected, describe how it’s being collected and used, and disclose if that data is being disclosed or sold to anybody else. This is to be provided in a publicly posted privacy notice and also needs to be made available to consumers upon request.
Opt-Out. Customers must be provided an easy-to-understand process for opting out of having their data sold to third parties. Consumers under 16 must opt-in to having data sold. Parents must provide consent for children under the age of 13. Companies must provide a “Do Not Sell My Personal Information” button on their main home page.
Information Removal: Customers must be provided the ability to have businesses delete their personal information, and companies must let customers know they have this right. If a customer chooses this option a business must not only delete the information from their own records but must ensure that the records are deleted by any third-party contractors that have been provided with the personal information.
No Discrimination: Businesses cannot discriminate against customer who elect to keep their data private. Businesses can’t charge an extra fee for a customer electing a privacy option. Interestingly though, businesses can offer an incentive for customers to make their data available, such as offering a discount for allowing the business to use the data.
In the same manner that recently happened in Europe, US companies that are covered by this law have a lot of things to put into place by the first of next year. Most companies won’t find it hard to make the needed disclosures and notices, but putting processes in place that delete customer data, including data that was passed on to somebody else can be a huge challenge. One of the hardest requirements to meet will be the one that requires companies to make all reasonable efforts to protect against data breaches.
The penalties for not complying with the law are high. A company can be charged up to $2,500 for every violation and up to $7,500 for each intentional violation (such as not deleting data after assuring a customer it was done). Companies can avoid fines by coming into compliance within 30 days of being notified by an attorney general of a violation.
The law also opens companies to litigation from customers. The law gives consumers the right to bring lawsuits if their data is disclosed due to negligence of the business. Consumers can file individual or class action lawsuits and can recover between $100 and $750 in damages per incident. This law will almost certainly spur a class-action lawsuit every time there is a big data breach.
I’ve reported on this law for a few reasons. California often leads the country on new legislation and it’s likely that some version of this law will spread elsewhere across the country. For instance, as I was writing this blog the state of Maine passes legislation that is even more stringent in a few areas. There is also a bipartisan effort in Congress looking at privacy rules and this law is certain to influence that effort.
This law doesn’t just apply to web-vendors. Parts of this law apply to anybody that collects sensitive customer data from the Internet such as ISPs and utilities. It’s a warning to every business to take steps to protect against breaches of customer information.