By Alexander F. Koskey III
Over the summer, the California legislature made headlines when it passed the California Consumer Privacy Act of 2018. This is the most rigorous privacy measure in the United States in decades and continues the trend of providing more control to consumers over their personal information. With California being the world’s fifth-largest economy, the act is estimated to impact more than 500,000 businesses both inside and outside the state. The definition of “personal information” is more expansive than other recent privacy laws, and there remain significant questions regarding compliance with the legislation. Therefore, performing an inventory of the data collected by your business is critical to determining whether you are subject to the act.
The act is slated to go into effect on Jan. 1, 2020. However, due to the way it was hastily approved by the California legislature, a number of questions remain regarding compliance. In September, the legislature passed a new bill that provided “technical corrections” to the act. However, the road to fully understanding its requirements remains long and winding. As compliance remains a moving target, here is what financial service providers need to know:
What are the key takeaways from the act?
- Businesses will be required, at or before the time of collecting personal information, to inform consumers the categories of information that will be collected and the business purpose for which it will be used.
- Consumers have the right to opt out of the sale or sharing of their personal information. Businesses will be required to include an option on their website where consumers can select “Do Not Sell My Personal Information” in order to opt out.
- Consumers can request that a business disclose the personal information it collects about the consumer and whether that information is shared with third parties. A business must provide this information free of charge.
- Consumers can request that a business delete any personal information that the business has collected from them.
Who is protected by the act?
The act protects all California residents, which include (1) every individual who is in the state for a temporary or transitory purpose and (2) every individual who is domiciled in the state but who is outside the state for a temporary or transitory purpose. The act further defines a “consumer” as a natural person who is a California resident. With the state’s huge economy, there is a strong likelihood that most companies serve consumers in California even without a physical presence in the state.
Who must comply with the act?
A “business” subject to the act is a for-profit entity that does business in California and satisfies one or more of the following thresholds: (1) the business has annual gross revenues in excess of $25 million; (2) it buys, receives, sells or shares the personal information of 50,000 or more consumers, households or devices; or (3) it derives 50 percent or more of its annual revenues from selling the personal information of consumers. The act does provide certain exemptions from compliance if “every aspect of that commercial conduct takes place wholly outside of California.”
Penalties and enforcement under the act:
The act provides for a private right of action for data breaches. The California attorney general can also impose fines in civil enforcement actions up to $2,500 per violation. The fines can be increased to $7,500 per violation for intentional acts.
Recent amendments and what’s next?
Under the original language of the act, the California attorney general is required to issue rules and procedures on a variety of topics where much ambiguity remains. This includes handling a request from a consumer to opt-out and developing a uniform opt-out logo or button to promote consumer awareness regarding the sale of personal information. The attorney general has already indicated that it does not have the capability to conduct adequate rulemaking for the act.
In the meantime, the California legislature’s recent amendments only touch the surface on clarifying compliance questions. Perhaps sensing this, the legislature granted a six-month grace period for enforcement from the earlier of (a) the California attorney general issuing the required regulations or (b) July 1, 2020. However, this grace period is conditional and only applies if the attorney general does not issue its regulations by July 1, 2019.
The legislature also clarified in amendments that data that is regulated under federal statutes, like the Gramm-Leach-Bliley Act and/or the Health Insurance Portability and Accountability Act, is fully exempt from the act’s privacy requirements. Although companies subject to GLBA may be exempt from various requirements under the act, compliance will still be necessary where the company engages in activities that fall outside GLBA.
What should financial service providers be doing to prepare for the act?
Despite certain exemptions for businesses subject to GLBA, financial service providers should not be at ease and ignore the act. All businesses would be wise to perform a data inventory of all personal information it may collect concerning California residents. After performing a data inventory, companies should also review their privacy policies to determine whether new disclosures need to be added and whether the company will be required to implement various protocols, including receiving data deletion or data inventory requests from consumers.
The act goes into effect in just over 12 months. Businesses still have a multitude of questions regarding some ambiguous areas. Therefore, creating an adaptable compliance program is paramount to reacting swiftly to upcoming amendments and ensuring compliance. As the privacy world continues to become more fragmented with state-specific laws, this is the best and most effective way to ensure compliance with the California act and future laws.
Alexander F. Koskey III is an associate in Baker Donelson’s Atlanta office. He can be reached at firstname.lastname@example.org.