Article

California Consumer Privacy Act of 2018

Andrew Kordek

a Trendline Point of View:
California Consumer Privacy Act of 2018

Disclaimer: Trendline Interactive cannot provide any legal advice, nor should anything within this Point of View be construed as such. Customers should consult their legal teams and resources to ensure they are aware of their obligations under applicable regulations.

Background – Privacy in the US:

In the US, there is no single, comprehensive federal (national) law regulating the collection and use of personal data. Instead, the US has a patchwork system of federal and state laws that sometimes overlap or contradict one another. There are laws such as HIPPA, COPPA, CAN-SPAM and Gramm-Leach-Bliley, all which prohibit unfair and deceptive practices involving the disclosure of and security procedures for protecting personal information yet these apply to particular categories of information.

In recent years, the surge of companies who are collecting, storing, and using personal information for better “customer experiences” and “valuation” is astronomical. A study conducted by Pew Research Center in 2016 revealed that roughly 50% of Americans do not trust the Federal Government or Social Media sites to protect their data, yet Social Media use continues to grow. Despite all of this, there have been over 60 data breaches of large organizations since 2015. Some of the world’s most recognized brands have been subject to a breach – Facebook, Equifax, UBER, Weebly, Hilton, the IRS, and Walmart to name a few. However, in recent months consumers have been made aware of some of the more egregious violations and veils, and none more prominent than Facebook and the Cambridge Analytica breach, which has received global attention.

In fact, in a recent study on Consumer Attitudes Toward Data Privacy by Janrain Research, 57% of the respondents indicated that they were more concerned about data privacy, and 68% wanted to see similar laws enacted in the US akin to the General Data Protection Regulation( GDPR) law which came into force in the EU last May.

Enter California and the new California Consumer Privacy Act of 2018.

Summary:

In June 2018, the California Consumer Privacy Act of 2018 (CCPA), a new law around consumer privacy, was signed by Governor Jerry Brown. This law was signed just hours before another and more stringent November ballot based initiative spearheaded by Alastair Mactaggart, a wealthy Real-Estate developer, was to move forward. The ballot based initiative had strong opposition from the likes of Google and Facebook, who invested a significant amount of money to rally against it. Mactaggart didn’t expect that lawmakers would be willing to strike a deal so quickly but indicated that it was a “big leap forward.”

The legislation that was passed was modeled after the ballot initiative and was pushed through the California State Legislature quickly because of the flexibility of modifying an act vs. a voter driven/approved measure.

 

The CCPA will take effect January 1st, 2020 and applies to any organization that conducts business in the State of California & satisfies one of three conditions:

1. The organization has an annual gross revenue in excess of $25,000,000
2. Annually buys, receives, sells or shares for commercial purposes the personal information of 50,000 or more consumers or households
3. The organization derives 50% or more of its annual revenue from selling consumers’ personal information

 

CCPA establishes a new privacy framework for those businesses by:

1. Creating an expanded definition of “personal information”
2. Creating new data privacy rights for California consumers which include such things as Right-to-Know, Data Access, Have Deleted, and Opt-Out of the sale of their personal information
3. The creation of a statutory damages framework for those businesses that violate the Act and for businesses that fail to implement security procedures and practices to prevent data breaches

Key Provisions of CCPA

Under CCPA, California residents will have a number of new rights:

– Data Access Requests Consumers can request copies of the specific pieces of personal information that the business has collected, and the business must respond to these requests within 45 days.
– Data Deletion Requests When a consumer requests that their information be deleted, the business is required to delete any personal information that it has collected, and any direct services providers are also required to do the same. There are several exceptions at this time, but will likely be revised by lawmakers before it takes effect in 2020.
– Opting Out of the Sale of Personal Information Consumers now have the ability to opt out of the sale of any of their personal information.
– A “Do Not Sell” Link Businesses are now required to add a new link to their homepages titled “Do Not Sell My Personal Information.” Businesses will also need to amend their privacy policies to reflect this option for consumers in California.
– Consent For Minors Minors must now “affirmatively authorize” the sale of their personal information and minors under the age of 13 must also gain the consent of a parent or guardian.
– Right of Action The law gives consumers the ability to sue for damages, in coordination with the State Attorney General, if a subset of personal information is accessed, stolen, or disclosed without authorization. There are some timelines associated with these lawsuits that again, will likely get amended in the future.

As of this writing, the penalties under the new law for business who fail to resolve a violation within the allotted time frame could face a maximum fine of $7,500 per intentional violation. However, in the event of a breach consumers can bring civil action against businesses to recover damages ($100-$750 per consumer per incident or actual damages whichever is greater).

Key Considerations For Trendline Customers

Trendline believes that this law will serve as a catalyst for other states to enact their own privacy statutes because of the considerable influence that the State of California has over the rest of the Nation. Trendline customers should be aware that although this law will go into effect in January 2020, state lawmakers will no doubt introduce amendments that might alter it slightly.

However 3 key questions might arise as a result of this new legislation:

Does CCPA apply if I do not sell personal information?

The answer is yes. The definition of “sell” in CCPA goes well beyond what it typically means to “sell” data. In this instance, it means essentially sharing or providing personal information to another business or third party for “monetary or other valuable consideration.” In fact the “selling” of information might apply to online marketing scenarios where consumer data is the currency even when there is no direct monetary payment for that data. For example, one could argue that the use of technology to track users on a site to build profiles of interest and use that in subsequent communications (browse/abandon triggers or dynamic content recommendations) for “personalization” could be affected by this law.

Is this new law just like GDPR?

The answer to this question is partly yes and no. Yes, in the framework of rights provided to consumers such as the Right-to-Know, Data Access, and Have Deleted of personal information. No, because there are key differences in terms of new provisions in this law which have new definitions and nuances that companies will need to work towards. However, those companies that have prepared and deployed GDPR compliance standards are ahead of the game.

Unlike GDPR, there does not appear to be a re-permissioning or obtaining consent to communicate directly with individuals despite previously opting into the current email program. However, as mentioned, there could be amendments to this law in the coming months, and Trendline will continue to monitor for any changes around this area.

What are the implications for email?

As of July 2018, Trendline believes that the implications for email will be slightly problematic for certain organizations, especially in the areas of data access requests. Given that most organizations have data around each customer/subscriber in different locations, it will be necessary to begin to plan out a course of action around the consolidation of data sources for residents in California. Given that other states might follow suit, it might be a good idea for organizations to begin a larger data consolidation to incorporate a single view of each customer/subscriber. Data deletion requests should fall into line if organizations maintain accurate and up-to-date data records.

Lastly, organizations should start to engage their legal teams, especially in the area around the “selling” of information and the interpretation of how the use of third party vendors could be affected. Trendline believes that if organizations are transferring data such as open times, web behavior, purchase data, or anything that is used to re-market, re-engage, or optimize their programs, this will fall into the “selling” of information. Clarification will be required on how to proceed with informing and taking action with subscribers, as well dealing with the vendors.

Final Thoughts:

Companies should not panic, because time and change might be on their side. However, the new era of privacy is upon us, and we advised all clients to begin discussions internally with vendors, internal counsel, and any other area of the organization that might be involved in ensuring compliance. Trendline will continue to monitor any and all changes to this law in California, as well as other states that might follow suit around privacy regulation.

Questions or comments on this document? Contact us.

About the Author(s)

Andrew Kordek

Andrew Kordek is a Co-Founder of Trendline Interactive.

Let's Take This to the Inbox

Sign up for our news, resources and updates. The inbox is our favorite place after all. We’ll make sure it’s worth it. (You can unsubscribe at any time, but you probably already knew that.)