Alert: California’s “GDPR Lite” Will Affect Businesses Across Industries and Across the Country
On June 28, 2018, California enacted the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et seq. (CPA). Effective January 1, 2020, California residents will have unprecedented data privacy rights, which may be adopted by other states. The CPA was moved quickly to stave off a potentially more restrictive privacy law that could have appeared on California ballots this November.
On first read, the CPA can be called a less stringent version of the European Union’s General Data Protection Regulation (GDPR), but its true impact will be shaped through regulation (and potential future amendments) and litigation. Businesses should know that the CPA requires the California Attorney General to solicit comments and adopt regulations on or before the January 1, 2020 effective date. This process will provide an important opportunity to weigh in on many important aspects of the CPA, and we are happy to assist businesses seeking to participate in the process to ensure that workable legal standards can be set.
Subject to various exclusions and exemptions, the CPA generally applies to any “business” that handles “personal information.” The CPA defines “business” as a for-profit legal entity doing business in California that collects personal information regarding California residents, and that satisfies one or more of the following thresholds:
- Annual gross revenues in excess of $25,000,000;
- The entity, alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more California consumers, households, or internet-connected devices; or
- Derives 50% or more of its annual revenues from selling California consumers’ personal information.
The CPA defines “personal information” broadly: information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household. For example, personal information includes, but is not limited to, the following:
- Personal identifiers such as a real name, alias, postal address, unique personal identifier, IP address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers;
- Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
- Biometric information;
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a California resident’s interaction with an internet web site, application, or advertisement;
- Geolocation data;
- Audio, electronic, visual, thermal, olfactory, or similar information;
- Professional or employment-related information;
- Education information.
However, “personal information” excludes information that is “publicly available,” which generally means information that is lawfully made available from federal, state, or local government records.
Exclusions and Exemptions from the CPA
Importantly, the CPA’s obligations do not restrict a business’s ability to collect or sell a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California. Commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumer’s personal information occurred in California, and no personal information collected while the consumer was in California is sold. The CPA also excludes information that is governed by the Health Insurance Portability and Accountability Act and does not apply to the sale of personal information to or from a consumer reporting agency if that information is to be reported in, or used to generate, a consumer report as defined under the Fair Credit Reporting Act.
The requirements imposed by the CPA are very similar to the GDPR, but unlike the GDPR the CPA generally adopts an opt-out regime instead of an opt-in regime with respect to collecting and handling consumers’ personal information. In summary, the CPA:
- Requires businesses to make disclosures to California residents about any personal information collected and the purposes for which the personal information is used.
- Grants California residents a right to request that a business disclose the categories and specific pieces of personal information that the business collects about the California resident, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.
- Grants California residents the right to request deletion of personal information and would require the business to delete personal information upon receipt of a verified request.
- Grants California residents a right to request that a business that sells the California resident’s personal information, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of third parties to which the information was sold or disclosed.
- Authorizes California residents to opt out of the sale of personal information by a business and prohibits the business from discriminating against the California resident for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the California resident’s data.
- Authorizes businesses to offer financial incentives for collection of personal information.
- Prohibits a business from selling the personal information of a California resident under 16 years of age, unless affirmatively authorized.
The CPA will generally be enforced by the Attorney General, but it also, in limited circumstances, provides a private right of action
While the CPA may be seen as an extension of existing laws, how it will affect California businesses—as well as businesses across the country—will be determined by the adoption of specific regulations and future amendments enacted before the January 1, 2020 effective date. However, the creation of new private rights of action and regulatory enforcement regime, including potential whistleblower actions, will certainly change the legal landscape in California and across the nation. As with most regulation, the efforts to increase consumer protections will lead to increased litigation.
If you have questions about this alert, please contact one of the authors or any other member of the firm’s Cybersecurity and Data Privacy Team.