California sent shock waves around the world in June 2018 when lawmakers unanimously approved the California Consumer Privacy Act of 2018 (CaCPA). The CaCPA is the toughest, most consumer-friendly privacy regulation in the United States. The new law takes effect on January 1, 2020, and applies to any qualifying business that collects personal information about California residents. Businesses that have spent the last two years preparing for the European Union’s General Data Protection Regulation (GDPR) that went into force on May 25, 2018 will be familiar with some of the concepts in the California Consumer Privacy Act, but businesses with a strictly domestic footprint will be surprised at the reach of California’s new law and its requirements.
Some businesses have objected to the unique burdens imposed by the CaCPA and have asked Congress to consider enacting a nationwide, less-stringent privacy law that would preempt the CaCPA. That effort may be getting some early traction. In September and October 2018, the Senate Committee on Commerce, Science and Transportation conducted hearings to discuss the current state of consumer privacy and whether Congress should enact comprehensive federal legislation. Either way, complying with the CaCPA — or an as-yet unwritten federal privacy law — will require careful strategic planning and the use of tools to implement new standards across business platforms.
How Did We Get Here?
California’s CaCPA represents a seismic shift in United States privacy law. In the United States, there is no comprehensive privacy law that protects the privacy of individuals’ personal information in all circumstances. Instead, federal law bestows privacy protection on information in specific sectors. For instance, the privacy of certain health information is protected by the Health Insurance Portability and Accountability Act (HIPAA). 42 U.S.C. §1320d-6. The privacy of student education records is protected by the Family Educational Rights and Privacy Act (FERPA). 20 U.S.C. §1232g. And the privacy of consumers’ nonpublic, personal information held by financial institutions is governed by the Gramm-Leach-Bliley Act. 15 U.S.C. §6801, et seq.
Historically, Congress has been reluctant to federalize privacy laws, even where doing so seems sensible. For instance, each of the 50 states now has its own data breach law on the books. These differing state laws create a patchwork of regulations that vary in terms of who must be notified in the event of a breach, what qualifies as “personal information,” what constitutes a breach, and the time in which notice of the breach must be given. In late 2017 and early 2018, various members of Congress attempted to simplify this framework by proposing at least four different nationwide data breach laws, but as of September 2018, none has made it out of committee.
United States: A Cultural Attitude Shift
Before March 2018, many Americans were indifferent about data privacy. But that changed in March 2018 when Americans learned that Cambridge Analytica, a political consulting firm that did work for the Donald J. Trump 2016 presidential campaign, harvested raw data from up to 87 million Facebook profiles without their knowledge.
Essentially, approximately 270,000 Facebook users took a personality quiz that exposed not only the personal information of the quiz-takers but also exposed the personal information of their Facebook friends, without notice to either the quiz-takers or their friends. Americans were outraged. In April 2018, Facebook CEO Mark Zuckerberg answered questions from 95 different U.S. Senators and Congressmen for two days on Capitol Hill in Washington, D.C. Several members of Congress asked if the United States was doing enough to protect the privacy rights of its citizens, and specifically asked whether the United States should consider a law similar to the European Union’s General Data Protection Regulation (GDPR) – a comprehensive privacy law that gives individuals significant rights over the use of their personal information. Mr. Zuckerberg assured America that Facebook was working on increasing privacy protections as quickly as possible. But Facebook was not acting fast enough to satisfy California, so lawmakers threw the process into high gear in June 2018.
The Birth of the California Consumer Privacy Act
In June 2018, California lawmakers rushed to draft and approve the CaCPA to defeat a competing— and in some instances stricter — privacy initiative that had qualified for the November 2018 ballot. The supporters of the competing ballot initiative agreed to withdraw their proposal if Gov. Jerry Brown signed the CaCPA into law by June 28, 2018, the deadline to withdraw ballot initiatives. (Lawmakers generally prefer the legislative process over initiatives because Article II, Section 10(c) of the California Constitution prohibits the State Legislature from amending or repealing a passed proposition without voter input, unless the proposition specifically allows for it.) As a result, the CaCPA was proposed and unanimously passed in seven days. In contrast, the European Union’s GDPR took four years to negotiate and was on the books for two years before it went into effect.
Who Does the CaCPA Apply To?
The CaCPA is a testament to its hasty origins. Portions of the law are inconsistent and incomplete. The law has been amended once already and it is likely to be amended again before it takes effect on January 1, 2020. Although some details remain to be sorted out, one thing is clear: The CaCPA is the strictest, most sweeping privacy law in the United States.
The CaCPA applies to “for profit” organizations that collect personal information about California residents, that determine the purpose and means of the processing of the information, and that meet one or more of the following criteria: Has annual gross revenues of more than $25 million; alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households or devices; or derives 50% or more of its annual revenues from selling consumers’ personal information. Cal. Civ. Code §1798.140(c)(a)(A)-(C). The International Association of Privacy Professionals estimates that more than 500,000 businesses will be affected by the CaCPA.
“Collection” means buying, gathering, receiving or accessing any personal information pertaining to a consumer by any means. This includes receiving information not only from the consumer in the form of declared data, but also receiving information obtained by observing the customer’s behavior. Cal. Civ. Code §1798.140(e).
Who is a “Consumer,” and what is “Personal Information?”
The CaCPA defines these terms very broadly. For purposes of the CaCPA, a “consumer” is any natural person who is a resident of California. Cal. Civ. Code §1798.140(g). (This definition of “consumer” is considerably broader than the definition of “consumer” under the California Consumer Legal remedies Act, which is limited to an individual who “seeks or acquires, by purchase or lease, any goods or services for personal, family, or household use.” Cal. Civ. Code §1761(e). )
Not to be outdone, the definition of “personal information” stretches equally far. The CaCPA defines “personal information” as information that identifies, relates to, describes, or is capable of being linked or associated with a particular consumer or household. “Personal information” includes identifiers such as name, postal address, online identifier, alias, IP address, e-mail address, account name or number, geolocation data, commercial information (including records of personal property, products or services purchased), internet or network activity information (including browsing history), professional information, education information, and any inferences that can be drawn from this information to create a profile regarding the consumer’s preferences, characteristics, behaviors and abilities, among other things. Cal. Civ. Code §1761(o)(1).
What Does the CaCPA Mean for Companies Who Do Business with California Residents?
The CaCPA imposes obligations on businesses and gives consumers new rights with respect to the use of their personal information, such as:
Required Disclosures: Companies must make certain disclosures to consumers at or before the point of collection of personal information. These disclosures include: the categories of personal information that the company intends to collect about the consumer, a description of how the information will be used and shared, a statement of the consumers’ right to ask that their personal information be deleted, a statement of whether the business sells personal information, and the consumers’ right to opt-out of the sale of their personal information.
Right to Request Information: If a business collects personal information about a consumer, the consumer can ask the business to identify the categories of information that the business has collected, the specific pieces of personal information the business has collected about the consumer, the business or commercial purpose for collecting or selling the personal information, and the categories of third parties with whom the business shares personal information. Businesses cannot be required to provide this information more than twice in a 12-month period.
Right to Opt Out: Consumers can request that a business not sell their personal information. If a consumer “opts out,” businesses must honor that request unless the consumer specifically authorizes the sale of the information. And businesses must respect the consumer’s decision to opt out for at least 12 months before requesting that the consumer authorize the sale of the consumer’s personal information.
Right to “Do Not Sell” Link: Businesses must provide a clear and conspicuous link on the business’ Internet homepage titled “Do Not Sell my Personal Information.” This link must connect to an Internet Web page that enables a consumer to opt out of the sale of the consumer’s personal information.
Right of Deletion: Consumers may request deletion of any personal information collected about him/her by the business. The business must delete all consumer information and must direct service providers with whom it has shared the information to also delete it. There are nine exceptions to the right of deletion, which include most notably the need to comply with a legal obligation, security reasons, completing a transaction for which the personal information has been collected, or scientific, historical or statistical research that is in the public interest.
How Can Multi-State Businesses Comply?
Businesses that collect personal information from consumers in the European Union and in different states in the United States will find themselves subject to a myriad of privacy laws that differ in scope and requirements. Navigating these waters calls for practical business solutions, such as:
Plan, Prepare and Communicate: Business stakeholders, IT professionals and legal counsel must clearly communicate about essential business functions, what personal information is collected, how personal information is used and shared, and how long it is retained. Inventorying data and mapping data flows are critical steps in this process.
Identify Gaps: Legal counsel should be retained to assess applicable privacy laws and regulations, identify gaps in compliance and associated risks, and recommend steps for compliance. All stakeholders must coordinate on a strategic plan to achieve compliance within budgetary limitations.
Find Common Ground: Identify areas of common ground among various applicable privacy laws. Some companies find it advantageous (and most efficient) to design their privacy programs to the strictest requirements.
Assess Vendors: If third-party vendors are used to process any personal data (including mailers, marketing, payroll, outsource storage, etc.), the maturity of the vendor’s privacy and security programs also must be assessed. It is essential that the business-vendor relationship be spelled out in clear, consistent contracts establishing the standards and handling of data, and that the business retain the right to audit and test the vendor. Automated contract workflows can help ensure standardization.
Take the Long View: Train and educate staff on the importance of complying with privacy laws, both from a legal and regulatory perspective and a client service perspective. Select and invest in tools that promote standards, the development of repeatable processes and automation for consistent results and to maximize efficiency.
Is a National Privacy Law Next?
It did not take long for the CaCPA aftershocks to reach Washington, D.C. On September 26 and October 10, 2018, the Senate Committee on Commerce, Science and Transportation conducted hearings to discuss the current state of consumer privacy in the United States and whether Congress should enact comprehensive legislation providing for a uniform nationwide standard.
Although these hearings are in the very early stages, certain themes have emerged. First, any consumer-oriented federal privacy law is likely to preempt state privacy laws to create a uniform, nationwide privacy standard. Second, the Federal Trade Commission likely would be primarily responsible for enforcing federal consumer privacy laws. Third, any federal law must have teeth (in the form of fines), so that business leaders (not just IT professionals) pay attention to the risk. Fourth, the law must not be so burdensome that it will be cost-prohibitive for small businesses to comply. Finally, although it is too early to tell whether Congress will adopt a United States version of the GDPR or the CaCPA, various senators have commented that they think all Americans deserve the same level of privacy protection as Europeans and Californians.
From a business perspective, it is clear that privacy protections are here to stay. Regardless of the final language of the CaCPA (or any future federal privacy law), businesses can gain a competitive advantage by voluntarily taking steps to address consumer privacy concerns. Clear privacy notices, plain language disclosures about the collection and uses of personal information, along with giving consumers the right to opt out of the selling or sharing of their personal information are strong tools toward building consumer relationships and solid business platforms.
About the Author: Stacey Myers Garrett is a shareholder of Keesal, Young & Logan, P.C. Stacey is the senior member of KYL’s cybersecurity and privacy law practice. She holds the following certifications from the International Association of Privacy Professionals: CIPP/US (United States private sector privacy law); CIPP/E (European Union privacy and data protection law; CIPM (Certified Information Privacy Manager) and CIPT (Certified Information Privacy Technologist). Stacey obtained her law degree from the University of California, Hastings College of Law in 1991 and is licensed to practice law in the states of California and Nevada, and before the Supreme Court of the United States. This information has been prepared for informational purposes only and is not intended to be legal advice. Individuals and/or companies should not act upon this information without seeking professional counsel from an attorney.