Data Privacy Alert: California Consumer Privacy Act of 2018 Just Enacted

Transcription

1 2018 Data Privacy Alert: California Consumer Privacy Act of 2018 Just Enacted After only a few days of legislative debate, Governor Jerry Brown of California signed a bill enacting the California Consumer Privacy Act of 2018 (the CCPA ) on June 28, The CCPA is a comprehensive new data privacy law that will impact businesses around the world that obtain, use, store or otherwise process the personal information of California residents (including California residents who are temporarily located in other places). The CCPA was enacted very quickly, to forestall a proposed November 2018 statewide ballot initiative that would have imposed even more restrictions on businesses. The CCPA represents a rough compromise between the government and the proponents of the ballot initiative. Shortly after Governor Brown signed the bill, the ballot initiative s proponents agreed to withdraw that initiative. The purpose of the CCPA is to give California residents an effective way to control their personal information, by ensuring the following rights: The right to know what personal information is being collected about them. The right to know whether their personal information is sold or disclosed and to whom. The CCPA will become effective on January 1, Because the law was drafted so hastily in light of the pending proposed ballot initiative, many of its provisions are confusing, and may conflict with other California laws. Accordingly, one should not be surprised if the law is amended sometime before its effective date. Moreover, this law may be subject to future challenges in court. As a general matter, the requirements under the new law are similar to those of the European Union s General Data Protection Regulation ( GDPR ), which came into force on May 25, Howeverthe CCPA as currently drafted is even more severe than the GDPR in many respects. Thus, even businesses that are currently GDPR-compliant will need to take additional steps by January 1, 2020 to become compliant with the CCPA. Unfortunately for businesses that are not GDPR-compliant, or that are not subject to the GDPR, they will have even more work to do before I. Whose Personal Information is Protected Under the California Consumer Privacy Act? The CCPA is designed to protect California residents, who are generally defined as: Individuals who are in California for other than a temporary or transitory purpose, and The right to say no to the sale of personal The right to access their personal The right to the same service and the same price, even if they exercise their privacy rights. Individuals who are domiciled in California but who are physically outside the state for a temporary or transitory purpose. (This means that the CCPA will protect the personal information of California residents, even if they are not physically in California at the time the personal information is processed.)

2 II. What Types of Personal Information Will Be Protected? The CCPA defines the term Personal Information as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. The term Personal information is defined very broadly and includes (but is not limited to): The real name, alias, postal address, unique personal identifier, online identifier Internet Protocol (IP) address, address, account name, Social Security Number, driver s license number, passport number, or other similar identifiers. Characteristics of protected classifications under California or federal law. Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. Biometric psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes. Personal information does not include publicly available information, which is any information that is lawfully made available from government records. Notably, however, many types information that one might expect to be considered publicly available are not within the scope of the term publicly available under the CCPA. For example, the CCPA specifies that information is not considered publicly available if it is used for a purpose that is not compatible with the purpose for which it is maintained and made available in the government records. Moreover, publicly available does not include consumer information that is de-identified or aggregate consumer III. What Types of Businesses Will Be Subject to This Law? The CCPA applies to for-profit entities that do business in California (including any samebranded parent or subsidiary company) that meet any one of the following three criteria: Has gross revenues of more than $25 million; Internet or other electronic network activity information, including browsing history, search history, and information regarding a consumer s interaction with a website, application, or advertisement. Geolocation data. Receives or shares personal information for more than 50,000 consumers, households or devices; or Receives more than 50 percent of its annual revenue from the sale of personal Audio, electronic, visual, thermal, olfactory or similar Professional or employment-related Education information that is not publicly available. Inferences drawn from any of the information identified above to create a profile about a consumer reflecting the consumer s preferences, characteristics, A company that lacks a physical presence in California might not be subject to this law, so long as it is not doing business in the State of California. However, the concept of doing business in California is interpreted very broadly. Accordingly, businesses that may think they are not subject to this law may find that they indeed will be ensnared. 2

3 IV. What Rights and Obligations Do the CCPA Impose? The CCPA provides the following rights to California residents and imposes obligations on businesses that process California residents personal information: Up to two times in any 12-month period, California residents may request that businesses disclose the categories and specific pieces of personal information that they collect, the types of sources from which the businesses collect the personal information, the business purposes for collecting or selling the personal information, and the types of third parties with which the information is shared. businesses will not be able to charge the consumer who opts out a different price or providing the consumer a different quality of goods or services (except if the difference is reasonably related to the value provided by the consumer s data). Businesses will be prohibited from selling the personal information of a child, unless they obtain an opt-in from an appropriate party. Children between the ages of 13 and 16 can opt in for themselves. For children under the age of 13, businesses must obtain an opt-in from a parent or guardian. (Note that the online collection of data of children under the age of 13 remains subject to the federal Children s Online Privacy Protection Act.) California residents will have the right to request deletion of personal information, with certain exceptions. Businesses will be required to delete such information upon receipt of a verified request, as specified. California residents will have the right to request that a business that sells the consumer s personal information, or discloses it for a business purpose, disclose the categories of information that it collects and the identity of third parties to which the information was sold or disclosed. Businesses will be required to provide this information in response to a verifiable consumer request. California residents will have the ability to opt out of the sale of personal information by a business. Businesses must make available, in a form reasonably accessible to consumers, a clear and conspicuous link to the homepage, titled Do Not Sell My Personal Information. The business must wait at least 12 months before requesting to sell the personal information of any California resident who has opted out. Businesses will be prohibited from discriminating against the consumer for exercising their right to opt out of the sale of their personal For example, V. How Does the CCPA Differ From the GDPR? The CCPA: Defines personal information more broadly than the term personal data is defined under the GDPR. Requires the use of disclosures, communication channels and other measures that are not required under the GDPR. Establishes broad rights for California residents to direct the deletion of their personal information (a.k.a., the right to be forgotten ), with different exceptions than those available under GDPR. Establishes broader rights to access personal information than the GDPR offers. Requires businesses not to discriminate against a consumer because he or she exercised any rights under the law. Imposes more rigid restrictions on data sharing for commercial purposes than the GDPR does. 3

4 VI. What Steps Should Businesses Consider Taking? The CCPA may be revised before its January 1, 2020 effective date, and the law may still be challenged in court. Nevertheless, because eighteen months come and go quickly when there is much work to do, businesses should consider taking several actions in the near future to prepare for the CCPA. Such steps may include: Determining and mapping where the business maintains the personal information of California residents, households and devices. Establishing a mechanism for California residents to make requests as to their personal information, including a toll-free telephone number. Implementing appropriate technological and organizational systems to comply with the law s new requirements. Updating privacy policies to explain California residents rights under the CCPA. Implementing processes to obtain the appropriate affirmative consent with respect to sharing of children s personal VII. What Are the Potential Penalties For Non- Compliance? Businesses may face penalties of up to $7,500 for each intentional violation of any provision of the CCPA. Additionally, businesses that suffer a data breach may be obligated to pay damages of not less than $100 to $750 per California resident and incident. If you have any questions about this article, please contact Michael J. Riela at riela@thsh.com or your usual contact at Tannenbaum Helpern. About Tannenbaum Helpern s Cybersecurity and Data Privacy Practice Tannenbaum Helpern s Cybersecurity and Data Privacy Practice regularly advises investment advisers and other types of clients in managing and responding to the ever-evolving data privacy and cybersecurity landscape. We provide the following types of services: 1. Prevention: Helping clients develop proactive procedures and policies designed to mitigate their risk of data security breaches, and to help them be prepared to deal with security breaches efficiently when they inevitably do occur; 2. Compliance: Helping clients comply with applicable privacy and security laws and regulations, including the California Consumer Privacy Act of 2018 (CCPA) and the European Union s General Data Protection Regulation (GDPR); 3. Risk Reduction: Negotiating contractual protections with vendors and contractors who have access to clients and their customers information, conducting employee training to recognize and avoid security threats, and directing clients in how to obtain appropriate cybersecurity insurance protection; 4. Response: Responding to data breach incidents when they occur, including implementing breach response and notification plans as required by applicable law, and liaising with law enforcement and other immediate responders such as insurance companies, forensic experts, technical consultants, and public relations professionals; and 5. Dispute Resolution: Defending clients in connection with any disputes and legal claims that arise from cyber breaches. The effective management of cyber risk often requires input from insurance professionals, information technology experts, forensics 4

5 experts, public relations experts and others. Our Cybersecurity and Data Privacy Practice can connect you with qualified professionals in these fields. About Tannenbaum Helpern Syracuse & Hirschtritt LLP Since 1978, Tannenbaum Helpern Syracuse & Hirschtritt LLP has combined a powerful mix of insight, creativity, industry knowledge, senior talent and transaction proficiency to successfully guide clients through periods of challenge and opportunity. Our mission is to deliver the highest quality legal services in a practical and efficient manner, bringing to bear the judgment, common sense and expertise of well trained, business minded lawyers. Through our commitment to service and successful results, Tannenbaum Helpern continues to earn the loyalty of our clients and a reputation for excellence. For more information, visit Follow us on LinkedIn and 5