"California’s New Data Privacy Law”
Recently, California established a new data privacy law regarding the rights of consumers over their personal information. Set to take effect in 2020, this new law will affect companies in the digital sector (who have clients in California) by forcing them to comply with higher privacy standards. Consumers will have to be given the option to opt-out of sharing personal information, as well as the right to prohibit the sale of their information if they do choose to share it.
The law gives consumers sweeping control over their personal data. It grants them the right to know what information companies like Facebook and Google are collecting, why they are collecting it, and who they are sharing it with. Consumers will have the option of barring tech companies from selling their data, and children under 16 must opt into allowing them to even collect their information at all.
So, what does this mean for businesses? Many businesses will have to undergo major changes by modifying their infrastructures in order to adhere to the new California law.
Who does this law apply to?
The act applies to most companies with California-based assets or customers. Simply put, the act applies to any business that;
- does business in California,
- collects California consumers’ “personal information”,
- AND satisfies one or more of the following thresholds:
- (A) annual gross revenues over $25 million;
- (B) buys, receives, sells or shares (for commercial purposes) the personal information of 50,000 or more Californian consumers, households or devices annually;
- (C) derives 50 percent or more of its revenues from selling consumers’ personal information.
Thus, even a small company with less than $25 million in revenues could still be subject to the act if it has at least 50,000 unique California visitors annually to its website and makes money by or otherwise engages in interest-based advertising. Moreover, it is not limited to online enterprises and could be applied to exclusively brick-and-mortar establishments that do business in California.
What is meant by “personal information”?
The act significantly expands the definition of “personal information” to cover almost any consumer-related data that a company collects or maintains. In addition to the usual suspects (e.g., name, Social Security number, biometric identifiers, geolocation information, etc.), the definition of “personal information” also includes:
- Tracking data and unique identifiers, such as an IP address, cookies, beacons, pixel tags, mobile ad identifiers and similar technology, customer numbers, unique pseudonyms, “probabilistic identifiers” that can be used to identify a particular consumer or device, and other persistent identifiers that can be used to recognize a consumer, family or device over time and across different services.
- Behavioral and profiling data, including (i) browsing history, search history, and information regarding a consumer’s interactions with a website, application or advertisement,” (ii) purchasing history, including products or services that were obtained, purchased or considered, or purchasing tendencies, and (iii) inferences drawn from the foregoing to create a profile reflecting the consumer’s preferences, characteristics, psychological trends, predispositions and attitudes.
- Professional and personal background data, including “professional or employment-related information,” as well as “education information” that is not considered publicly available personally identifiable information under the Family Educational Rights and Privacy Act (FERPA), and “characteristics of protected classifications under California or federal law.”
- Other sensory data, including “audio, electronic, visual, thermal, olfactory or similar information.”
What are the requirements for collecting data on minors?
The act requires consent from children age 13-16 to sell personal information. The act requires a business to obtain a parent’s or guardian’s “affirmative authorization” to sell or disclose personal information of a child under 13 to a third party for nonbusiness purposes, consistent with the U.S. COPPA law. The act also prohibits a business from selling personal information of a child between ages 13-16 absent affirmative authorization from the child (called the “right to opt-in”).
Unfortunately, no guidance is provided as to how underage users should be identified or how opt-in should be achieved. In practice, this could require an affirmative opt-in consent to engage third-party tracking technology on a website when the business has actual knowledge that children ages 13-16 use the website (or has willfully disregarded such knowledge). Because teenagers are so active online and are a desirable demographic for many commercial websites and applications, this requirement could create a significant burden for businesses operating in California.
How will this law be enforced?
The act will be principally enforced by the California attorney general. The act provides for enforcement by the California attorney general in nearly all instances. Businesses may be liable for civil penalties up to $2,500 per violation after a 30-day cure period, or up to $7,500 for each intentional violation of the act.
Can I set up a separate homepage for California consumers?
Some businesses may decide to offer a separate landing page for California consumers. The act suggests that businesses may choose to maintain a separate homepage dedicated to Californian consumers in order to comply with the requirements of the act. For example, a business with significant market penetration in the 13- to 16-year-old age bracket may struggle to obtain affirmative authorization from such users before collecting cookie and pixel data on their homepages. A business may face similar challenges in halting the collection of cookie and pixel data for consumers who have opted-out of such data collection or disclosure to third parties. Displaying a homepage stripped of third-party advertising pixels to all Californian consumers may be a more effective method of compliance, though this approach presents its own challenges in whether a business can accurately identify whether an online visitor is coming to the site from California or elsewhere.
Next Steps for Businesses
While the compliance deadline of January 2020 seems far into the distant future, one-and-a-half years can pass in the blink of an eye (just ask the thousands of companies who have yet to achieve any level of compliance with the GDPR, which went live on May 25!). Accordingly, businesses should follow a diligent protocol of assessing their readiness to comply with the act, identifying gaps between the current compliance posture and desired status, prioritizing remediation activities, and working methodically toward full compliance.
In an increasingly digitized world, we value privacy and are committed to protecting your personal information. Data and its protection are at the core of everything Digital Edge does. As such, our business is built on Stability, Security, Efficiency, and Compliance, enabling us to protect our customers’ most valuable assets. We are committed to complying with the new legislation and will collaborate with partners throughout this process.