Apparently how you smell is personal information (in California).

With the EU’s General Data Protection Regulation (GDPR) of 2016 in force for about a month, California’s legislature was looking to up its game and “get tough” on its big, home-grown tech companies’ well-documented privacy faux pas. So on June 28, 2018, California enacted the U.S.’s first elevated, GDPR-like privacy measures at the state level. Beginning on January 1, 2020, the California Consumer Privacy Act of 2018 (CCPA) will be effective, and it will have a far-reaching impact on US and foreign companies business activities involving personal information of Californians.

Many companies with a US presence choose to apply the most stringent privacy standards of any US state to simplify their privacy compliance effort. So California’s new law will have the practical effect of enhancing privacy protections that benefits U.S. citizens nationwide. Here’s some crazy and not so crazy things you should know about this new law (which was drafted in a mere 7 days).

Is California’s New Law GDPR-Lite?

Some of the features of the CCPA will look familiar to anyone who has been dissecting and analyzing the GDPR. The right of privacy is now an “‘inalienable’ right of all people” in California, though it is a “fundamental” right in the EU regulation. Now Californians have a right to:

  • Be informed about what personal information businesses collect about them
  • A right to be informed of the extent and purposes of the collection at the time the personal information is collected
  • A right to access the collected information, and
  • A right to have personal information deleted from a business’s records.

To keep consumers informed about how businesses collect, use, and (sometimes) sell their personal information, as well as their rights with respect to that personal information, businesses subject to the CCPA will be required to refresh their privacy policies at least annually. Like the GDPR, the CCPA gives businesses a short period of time to comply with personal information access requests (here, 45-days instead of 30-days under the GDPR, but both deadlines are extendable for cause). Businesses also may not discriminative against consumers for exercising their rights relating to their personal information, including by being denied goods or services, being charged different prices based on their choices/restrictions on use of their personal data, or by receiving different levels or qualities of service unless such differences are reasonably related to the value provided to the consumer by the consumer’s data (think about a Facebook feed made more content rich by sharing personal information versus one minimally populated as a result of limited sharing). Interestingly, businesses can also provide incentives to consumers for authorizing the sale of their personal information including payments directly to the consumer for the right/consent to engage in that activity.

Like GDPR, but different in important ways….

Some of the features of California’s new law, however, are not drawn from the GDPR and seem to be targeted towards curbing some often-criticized practices of California’s Silicon Valley tech giants. It will be easier for consumers and employees to sue businesses, including under a class action lawsuit, following disclosure of a data breach involving their personal information. The California Attorney General also has broader powers under the new privacy law to investigate and fine companies that don’t adhere to the requirements of the CCPA. Most notably, however, are the incredibly broad definition of “personal information” that is caught in the law’s net and the right of consumers to opt-out of giving businesses the right or consent to sell their personal information.

Although the definition of personal data (the EU equivalent of personal information) was broader than other similar laws at the time of the GDPR’s enactment in 2016, California has exceeded that definition and expanded its definition of information subject to its new privacy law. California covers identifiers like name, address, email address, social security number, and biometric information, and included some additional categories like audio, visual, thermal, olfactory, or similar information about a person. How you smell and the heat your body gives off apparently are personal information under the CCPA!

Importantly for most businesses, however, California includes in its definition of personal information:

  • Unique identifiers like Internet Protocol (IP) addresses
  • Geolocation data
  • Shopping, browsing, and search histories as well as other information relating to a consumer’s interaction with a website, application, or advertisement, and
  • Consumer profiles created from this information or inferences drawn from personal information regarding a consumer’s “characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes”

Practically speaking, this means that businesses that use online identifiers like cookies and web beacons to track and take action on users activities involving their websites must both disclose their use of these technologies and give people the option to opt-out and request the company delete all information collected through those cookies and other tracking technologies.

Don’t sell my data, dude!

The CCPA gives consumers the right to opt out of the sale of their information from one business to another. Businesses will be required to make at least two methods available for consumers to exercise their rights under the CCPA, including at minimum a toll-free phone number and, if the business operates a website, a web address. In addition, much like opt-outs involving direct marketing operate now with direct links to the opt out page at the bottom of marketing emails, businesses will be required to have a conspicuous link on their homepage titled “Do Not Sell My Personal Information” enabling consumers to exercise that right to opt out. Businesses must respect these opt-outs for at least a period of 12 months before contacting the consumer again for authorization to sell their personal information.

With about 18 months to go before the CCPA goes into effect, there is still time for the California legislature to make changes to the legislation. California needs to address some drafting errors given that this law was put together astonishingly fast (the law went from draft to law in a single week) in order to meet a deadline related to the withdrawal of a ballot measure on the same issue. But it is unlikely that major changes to the law will be made any time soon. Businesses nationwide should continue to watch as California prepares to enter the enforcement period under its new upgraded privacy law and think about how they will address these new requirements that take effect in January of 2020.

As always, we’ll continue to write about this and other important privacy compliance updates. And if you would like to learn more about California’s privacy law and how it may affect your business, please contact us, we’re here to help.

Antigone G. Peyton




Photo credit Lukasz Stefanski via Creative Commons license.