By Dean Short
For companies that do business in California and collect personal information, the above link is not likely to be available after January 1, 2020. However, mandatory opt-out links for California residents will be required to be posted conspicuously by companies that collect, process, store, and especially by those companies that sell/transfer personal data. The scope of the new California Consumer Privacy Act of 2018 (CaCPA) that was passed in June 2018 is broad, sweeping and deserves your company’s attention.
Good news: your company has until January 1, 2020 to comply with the new obligations.
The new law applies to large businesses (>$25m gross revenue), companies that derive fifty percent of their annual revenues from selling consumers’ information, or, the category that most companies will fall into: businesses that collect “the personal information of 50,000 or more consumers, households or devices.” Personal information includes a very broad range of information that may be used to identify a California resident. The new law applies to businesses located in, or doing business in California, so that pretty much covers most businesses with a website that collect personal data.
As with the recent EU GDPR law, the tenets of transparency and reasonableness are prevalent throughout the text of the CaCPA and fortunately there may be common denominators for compliance purposes that may be leveraged to stay ahead of both laws and perhaps future laws enacted in other countries/states. The California law, like the GDPR before it, requires that companies be straightforward with consumers as to what categories of information are being collected, why they are collected, and who they will be shared with in order to provide a clear understanding and also an opportunity for the consumer to opt-out thereby disallowing the ‘sale’ of their information. The California law does provide for reasonable exceptions in case the collection is only a one-time transaction or if the information is necessary to prevent fraud or is in the public interest.
Privacy attorneys watching the CaCPA carefully have noted inconsistencies and conflicts in the law with Federal remedies and in particular the definition and scope of the ‘sale’ versus a ‘transfer’ of personal information. Therefore, some terms and scope of the law may be addressed by the California Legislature before the law takes effect. Additionally, the California Attorney General is granted broad rights to modify this law to expand the scope of personal information and to “adopt additional regulations as necessary” to further the purpose of the new law. This means that we will all need to stay tuned to the developments and perhaps the behind the scene negotiations between large tech companies, legislators and consumer advocacy groups.
With proper guidance your company can get ahead of the oncoming sweeping changes to data privacy requirements and consumer rights in California.
Dean Short is an attorney at Short Legal Group, which is a small law firm based in Newport Beach, California. Attorneys at Short Legal Group work with small start-ups to multi-national corporations and standards bodies with emphasis on technology, corporate governance and compliance.
Please contact Dean Short or Montage Legal Group ([email protected]ontagelegal.com) if you have any need for their assistance with this new California law or other corporate matters.