If you use the web much you noticed a flurry of new privacy notices at the end of last year, either through pop-up notifications when you visited a website or by emails. These notifications were all due to the California Consumer Privacy Act, the new privacy laws that went into effect on January 1.
The law applies to companies that use the web and that have annual revenues over $25 million, companies that buy, sell or collect data on 50,000 or more consumers, and companies of any size that make more than 50% of their revenue by selling customer’s personal information.
The new law has a lot of requirements for web companies operating in California. Web companies must provide California consumers the ability to opt-out from having their personal information sold to others. Consumers must be given the option to have their data deleted. Consumers must be provided the opportunity to view the data collected about them. Consumers also must be shown the identity of third parties that have purchased their data.
The new law defines personal data broadly to include things like name, address, online identifiers, IP addresses, email addresses, purchasing history, geolocation data, audio/video data, biometric data, or any effort made to classify customers by personality type or trends.
The penalties for violating the law are severe. Consumers can sue web companies for up to $2,500 if they don’t offer these options by January 1 and up to $7,500 per violation if a company intentionally violates the law. It’s not too hard to anticipate the class action lawsuits already brewing that will result from this law.
While these new rules only apply to web companies and how they interact with California consumers, many web sites have taken the safe approach and are applying the new rules to everybody. That’s a safe approach because it’s difficult for web companies to always know where a web visitor is from, especially for people who use VPNs to hide their location.
California isn’t the only state with new privacy rules. Washington has new rules that are not as severe as the California ones but that still layer a lot of new requirements onto ISPs. New York is working on a privacy law that is said to be even tougher than the California one.
These state laws are only in place because Congress seems unable to pass a set of federal privacy rules. The issue has been debated over the last two years, and draft bills have been written, but no proposed law has come before the Senate for a vote, so the issue has gone nowhere. People are rightfully concerned that their data is being used and many people want the government to set some guidelines to protect them. The states are filling the legislative void in the absence of federal legislators taking action.
Web companies will face dilemmas with a proliferation of state privacy laws. Do they try to comply only with customers in a given state? What’s most concerning for web companies is that as more states pass privacy laws that some of the laws will inevitably conflict. There is also a big question about how these laws apply to foreign companies. The California law is written to apply to every company interfacing with California consumers. To complicate matters for web companies, European Union privacy rules are also tough and will inevitably conflict with parts of the California rules.
Like all new laws, this new law will be tested in court. The more interesting challenges will be how this law might impact companies from outside California. The $25 million of revenue is a low threshold and there are numerous companies across the country with revenues of that size that have likely done nothing in response to this law. If companies keep even the most rudimentary database of customer information, then theoretically they violate this law if anybody in the database resides in California. There are going to be lawyers trying to make a living from chasing companies that violate the law, and I doubt that it will take long for the lawsuit to surface.