California is implementing a law that has major implications for companies that deal in personal data as well as large to medium sized companies that have an internet presence in California. The California Consumer Privacy Act passed this summer and will take effect on January 1, 2020. Its strict compliance requirements will impact many companies outside of California.

The law applies to businesses that are for-profit, that collect California residents' personal information, that do business in the State of California, and that satisfy at least one of the following:

  • Annual gross revenues in excess of $25 million.
  • Buy, sell, or share the personal information of 50,000 or more California residents, households, or devices on an annual basis.
  • Derive 50 percent or more of their annual revenues from selling California residents' personal information.

Furthermore, the law is binding on affiliated companies of such businesses. These affiliated companies must share the same brand as the governed company and have an ownership relationship of at least 50 percent in or by the governed company.

To illustrate the above definition, suppose that Corp. A is organized as a for-profit in California, collects the personal information of California residents, and has annual gross revenues in excess of $25 million. This entity must comply with the act. Now suppose that ABC, LLC is a subsidiary of Corp. A, where Corp. A holds a 60 percent ownership interest in its affiliated entity and they share the same trade name. ABC, LLC will have to comply with the act even if it did not meet the statutory definition of a business on its own.

The new law uses a broad definition of "personal information," including "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." This definition includes information like:

  • Identifiers such as a real name, postal address, email address, social security number, or other similar identifiers.
  • Commercial information, including purchasing or consuming histories.
  • Geolocation data.

Personal information does not include publicly available information that is made available from federal, state, or local government, and it also excludes pseudonymized and de-identified information that is used for non-commercial research purposes.

The newly signed law gives consumers a number of rights that businesses need to be aware of:

  • The right to have access, upon receipt of a verifiable consumer request, to the consumer's personal information in a readily useable format.
  • The right to have their personal information deleted unless a business fits into an enumerated exception for the right to "opt out" of the sale of personal information.
  • The right to "opt out" of the sale of personal information.
  • The right to not be discriminated against for exercising any of the consumers' rights under the law.

With respect to the first right, the law requires businesses to disclose what personal information has been collected, where it was collected from, why it was collected, and who was given the information. The law states that businesses must, at a minimum, provide at least two points of access for consumers to submit requests for disclosure. These access points include a toll-free telephone number and the business's website. Furthermore, businesses will have to disclose the requested information free of charge within 45 days of the receipt of a consumer's request. This represents an expansion of the current requirement that businesses merely post their privacy policies on their websites.

In regards to the right to be free from discrimination, the law mandates that businesses cannot deny goods or services, charge different prices for goods or services, or provide a different quality of goods or services to those consumers who exercise their rights provided under the law. However, it does permit businesses to charge a different price, or provide a different level of service, to a customer "if that difference is reasonably related to the value provided to the consumer by the consumer's data." This may lead to businesses introducing tiered access to their services and products, with free options available only to people who allow the unrestricted collection and use of their personal information.

In addition to granting consumers certain rights, the law also requires businesses to make certain disclosures. For instance, businesses need to inform consumers of their rights under the law, the categories of personal information they collect, the purposes for which that personal information is collected, and the categories of personal information that they sold or disclosed in the preceding 12 months. This information can be included in a website privacy policy, though the policies will need to be updated every 12 months to ensure compliance.

Furthermore, a business that sells consumers' personal information to third parties must provide notice to consumers that their personal information may be sold and that consumers have the right to opt out of the sale of their personal information. These companies must provide consumers the ability to opt out of the sale by supplying a link titled "Do Not Sell My Personal Information" on the business's homepage.

If a business has actual knowledge that a consumer is younger than 16 years of age, the law provides that a business must not sell the personal information of such consumer without that consumer's affirmative consent. If the consumer is 13 years of age, then a business needs the affirmative consent from a parent or guardian of such consumer. This is known as the right to "opt in." A business will be deemed to have actual knowledge of a consumer's age if the business willfully disregards the consumer's age. This requirement layers over the requirements of the Children's Online Privacy Protection Act and other age-related statutes and international treaties; compliance with other standards does not create a safe harbor under this law.

The California Consumer Privacy Act includes several routes for financial penalties for violating it. Consumers have a private right of action that includes statutory damages and the California attorney general is empowered to sue on behalf of consumers as well.

Because the act protects California consumers that interact with a company's website regardless of where that company is located, the law's effect will be widespread. Companies that are located outside of California and even outside of the United States should start developing a strategy to comply with the law's myriad requirements ahead of the 2020 effective date.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.