Achieving Compliance with California’s New Privacy Law
In early 2018, California enacted the California Consumer Privacy Act of 2018, the most comprehensive data privacy law to date in the United States (the “Act”). The Act is intended to provide greater protection for consumer data gathered by businesses, and will become effective January 1, 2020. For a general summary of the Act and its key features, please consult our article, “What You Need to Know About California’s New Privacy Law,” published last month.
The Act requires businesses to implement policies providing consumers the right to: (i) know what type of personal information is collected, (ii) opt out of the sale of personal information to third parties, and (iii) request that a business delete personal information that it has collected. Businesses that are subject to the Act should prepare by performing a “gap analysis” to identify gaps between existing policies and the requirements of the Act. Appropriate changes to policies and procedures should be adopted and implemented.
The following is a summary of the impact of the Act and the requirements that must be met by January 1, 2020:
Right to Know
Consumers have the right to know what type of information is being collected about them and for what purpose. Businesses subject to the Act that collect personal information must disclose to consumers, at or prior to the time of collection, the categories of personal information to be collected and the reasons for collecting such information. Because “personal information” is defined broadly under the Act, determining whether disclosures are necessary may prove difficult. Once a determination has been made that personal information is being collected, the business should ensure that they have the ability to disclose the categories of information collected and their reasons for doing so.
Consumers may request records of personal information that have been collected by the business. Upon receipt of such a request, the business must disclose (i) the type of personal information collected, (ii) the sources from which personal information is collected, (iii) the purposes for collecting personal information, (iv) the third parties with whom the business shares personal information, and (v) the specific pieces of information that the business has collected. Businesses must provide this promptly (i.e., within 45 days). Responding to such consumer records requests may require new processes and additional personnel and resources.
It should be noted that the obligation of a business to deliver records to a consumer upon request is subject to a few limitations. For instance, a business is obligated to respond to a consumer request only if it is verifiable (see below), and a consumer is entitled to receive records from a business no more than twice per year.
Right to Opt Out
Consumers will also have the right to opt out of the sale of their personal information to a third party. Additionally, businesses who engage in the sale of personal information must inform consumers that they sell information, and must notify consumers that they have a right to opt out under the Act. Compliance with these provisions of the Act will require businesses to assess their data collection practices to determine whether the data that they collect is being sold to third parties. If so, procedures will be necessary to notify consumers. Businesses will also need to ensure that they maintain records of the third parties to whom the consumer’s personal information is sold.
Where a consumer is under the age of 16, the right, effectively, becomes a “right to opt in,” as consumers between ages 13 and 16 must affirmatively consent to the sale of their information, and, in the case of consumers under 13 years of age, the consumer’s parent or guardian must consent. In order to avoid the sale of personal information of a consumer under the age of 16, businesses will need policies and procedures for identifying personal information regarding young consumers.
Right to Request Deletion
Another right granted to consumers under the Act is the right to request that personal information collected by a business be deleted. In order to comply with this provision of the Act, businesses will need to identify what personal information it has collected regarding a consumer and maintain such information in an organized manner so that it can be easily deleted when necessary.
There are limitations on what information a business is required to delete upon request. For example, businesses do not need to delete information necessary to consummate a transaction with a consumer, detect or report security incidents or illegal activity, or comply with legal obligations. Businesses will need appropriate data management techniques in order to efficiently respond to a consumer request for deletion.
Other Requirements for Compliance
While the Act, generally, will permit businesses to comply with its requirements in any way it chooses, there are a few mandates that may require substantial preparation. For instance, the Act requires that businesses provide two methods for consumers to submit requests related to their personal information. At a minimum, businesses will need to establish a toll-free telephone number and, for businesses that maintain websites, they will need to make available a website that accepts consumer requests.
Additionally, a business must respond to consumer requests only if the request is verifiable—that is, if it can be verified that the person making the request for records is, in fact, the subject of such records. In order to minimize potential liability and to promote efficiency, it will be in the best interests of businesses to verify all requests for records. Creating and implementing such a verification process may require significant planning and coordination with appropriate data sources. The exact procedure by which a business will be able to verify the identities of requestors may vary from state to state.
For businesses that engage in the sale of consumer information, the Act also requires a conspicuous hyperlink on the business’s website. The hyperlink must direct consumers to an opt-out form.
The Act is a significant step in providing protection for the personal information of consumers. Because it is the most comprehensive statute of its kind in the United States, the full impact of compliance with its requirements is still uncertain. Although we anticipate the Act will undergo some substantive changes before it becomes effective in 2020, we believe that businesses should begin their compliance efforts now because the Act is consistent with the global trend towards more robust privacy laws that grant individuals more control and rights relating to their own personal information.
Patrick M. Kennedy