California Privacy Law Passes!

California Privacy Law Passes!

            Beginning on January 1^st, 2020, Californians will enjoy privacy rights very similar to the EU’s General Data Protection Regulation (GDPR), which went into effect earlier this year. While Californians already enjoyed a state constitutional and “inalienable” right to privacy, the California Consumer Privacy Act of 2018 grants Californians broad rights to know what personal information is held by businesses, how the personal information was collected, what each business plans to do with the personal information, and to manage that personal information in terms of its sale.

            To begin, if you have business interests potentially involving Californians, be aware that the Privacy Act provides a very broad definition of “personal information”, which includes any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly” to a person or household. Names, alias, IP addresses, email addresses, account and other identifying numbers, purchasing histories or tendencies, biometrics, internet activity, employment and education information, and any inferences derived from the above information will be held by businesses with the consent and at the mercy of private citizens. The Privacy Act also grants Californians the rights to request disclosures as to what personal information a particular business possesses and to mandate deletion of some or all personal information held by that business, as well as the right to restrict or prohibit the sale of such information.

            Importantly, businesses will only need to respond to audit or deletion requests that are “verifiable consumer requests”, and such responses are limited to not more than two during a twelve-month period. Further, businesses will generally not have to retain personal information from single, one-time transactions if the personal information is not sold. Interestingly, the Privacy Act does allow businesses to provide financial incentives to customers consenting to the use or collection of personal information. And, quite differently from GDPR, the Privacy Act: (1) only requires conspicuous “opt-out” language as to the sale of personal information, instead of the “opt-in” required under GDPR; and (2) does not really limit the general collection or use of information – businesses must simply notify customers of the collection or use of personal information “at or before” such collection or use.

            Naturally, California’s action will extend far beyond its state borders. Many businesses, even those of smaller size, will have some connection to the personal information of Californians. Also, now that California has acted, other U.S. states are sure to follow. If you collect or use personal information potentially involving Californians, start preparing now! The good news for businesses with EU connections is that California’s Privacy Act shares many of the mandates contained within GDPR, though to a lesser degree in most cases. As with GDPR, while the Privacy Act paints with a broad brush, many of the particulars will need to be filled in by subsequent regulation and business trial-and-error – which could be crippling for a business, particularly a smaller one, that finds itself on the wrong end of a Privacy Act enforcement action once the Privacy Act becomes effective.