By Dean Short
For companies that do business in California and collect personal information, the above link is not likely to be available after January 1, 2020. However, mandatory opt-out links for California residents will be required to be posted conspicuously by companies that collect, process, store, and especially by those companies that sell/transfer personal data. The scope of the new California Consumer Privacy Act of 2018 (CaCPA) that was passed in June 2018 is broad, sweeping and deserves your company’s attention.
Good news: your company has until January 1, 2020 to comply with the new obligations.
Bad news: the new obligations may require a significant rethinking of your website interface and your backend collection, processing and storage mechanisms that may push your IT team up against the deadline if you wait too long to get started; not to mention that your consumer facing privacy policy will need a refresh to comply with CaCPA.
The new law applies to large businesses (>$25m gross revenue), companies that derive fifty percent of their annual revenues from selling consumers’ information, or, the category that most companies will fall into: businesses that collect “the personal information of 50,000 or more consumers, households or devices.” Personal information includes a very broad range of information that may be used to identify a California resident. The new law applies to businesses located in, or doing business in California, so that pretty much covers most businesses with a website that collect personal data.
CaCPA imposes eerily similar requirements to the recent European Union “GDPR” laws that went into effect in May 2018 in Europe. Among the most significant obligations, companies will be required to provide a toll-free 1-800 number and a website interface to allow California residents to inquire as to what categories and specific information the company collects or has collected from that consumer. Companies will need to allow the California resident the ability to request a copy or even to demand deletion of their personal records from the companies’ or their third-party service provider’s servers. This can get very tricky when dealing with servers with multiple backup sites and disaster recovery redundant servers. Also, a specific link to opt-out of allowing sale of their personal information that reads “Do Not Sell My Personal Information” will need to be displayed prominently within the privacy policy or website. In fact, the law contemplates that the California Attorney General may even develop a catchy logo that helps direct consumers to the opt-out link. To inform consumers of their rights and provide the above referenced opt-out link, companies will need to revamp their privacy policies and consumer messaging prior to collecting personal information. The law also builds in an anti-discriminatory concept that prevents companies from lowering or denying service levels to consumers that elect to opt-out. The law even envisions that companies may set up a California-resident-facing website in parallel with their generalized website in order to ensure compliance with the new law. As with the new GDPR law, companies will likely struggle to divvy up available rights to their California residents vs. European citizens vs. residents of other countries/states. Practically speaking, with the swell of privacy laws approaching, companies will likely need to apply a one-size fits all approach that meets the strictest of the applicable laws to avoid constantly updating their policies or adopting numerous policies/websites to account for variants in the new privacy laws.
As with the recent EU GDPR law, the tenets of transparency and reasonableness are prevalent throughout the text of the CaCPA and fortunately there may be common denominators for compliance purposes that may be leveraged to stay ahead of both laws and perhaps future laws enacted in other countries/states. The California law, like the GDPR before it, requires that companies be straightforward with consumers as to what categories of information are being collected, why they are collected, and who they will be shared with in order to provide a clear understanding and also an opportunity for the consumer to opt-out thereby disallowing the ‘sale’ of their information. The California law does provide for reasonable exceptions in case the collection is only a one-time transaction or if the information is necessary to prevent fraud or is in the public interest.
Privacy attorneys watching the CaCPA carefully have noted inconsistencies and conflicts in the law with Federal remedies and in particular the definition and scope of the ‘sale’ versus a ‘transfer’ of personal information. Therefore, some terms and scope of the law may be addressed by the California Legislature before the law takes effect. Additionally, the California Attorney General is granted broad rights to modify this law to expand the scope of personal information and to “adopt additional regulations as necessary” to further the purpose of the new law. This means that we will all need to stay tuned to the developments and perhaps the behind the scene negotiations between large tech companies, legislators and consumer advocacy groups.
With proper guidance your company can get ahead of the oncoming sweeping changes to data privacy requirements and consumer rights in California.
Dean Short
Dean Short is an attorney at Short Legal Group, which is a small law firm based in Newport Beach, California. Attorneys at Short Legal Group work with small start-ups to multi-national corporations and standards bodies with emphasis on technology, corporate governance and compliance.
Please contact Dean Short or Montage Legal Group ([email protected]) if you have any need for their assistance with this new California law or other corporate matters.
(949) 478-5878
You must be logged in to post a comment.