On June 28, 2018, the State of California enacted the California Consumer Privacy Act of 2018 (the Act). The Act is likely to affect a large number of businesses and is the most comprehensive state privacy legislation in the United States.
While the U.S. approach to privacy has largely been industry-specific (e.g., healthcare data is regulated by HIPAA; financial services data is regulated by Gramm-Leach-Bliley; and education data is governed by FERPA), the Act applies across all industries. Despite being a California law, the Act’s mandates apply to any business, regardless of where physically situated, that does business in California, collects “personal information” about California residents, and that satisfies at least one of the following: (i) has gross revenues in excess of $25M; (ii) annually buys, sells, receives, or shares the personal information of 50,000 or more California residents, households, or devices; or (iii) derives 50% or more of its annual revenues from selling the personal information of California residents. “Personal information” is broadly defined as any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked to a consumer or household.
The Act, which becomes effective on January 1, 2020, gives California consumers five essential rights:
- The right to know what personal information is being collected about them;
- The right to know whether their personal information is sold or disclosed and to whom;
- The right to say “no” to the sale of personal information;
- The right to access their personal information; and
- The right to equal service and price, even when exercising privacy rights.
The Act contains various compliance requirements for businesses to afford California residents these rights, including but not limited to: a means to provide consumer access (free of charge) to his/her personal information; a method to delete personal information upon request from a consumer; a clear and conspicuous link on the business’ web page titled “Do Not Sell My Personal Information”; and a notice of consumer’s rights on the business’ web page.
The Act further gives a private right of action to consumers whose personal information is subject to unauthorized access or disclosure as a result of a business’ failure to implement and maintain reasonable security procedures and practices.
There are certain exclusions to the Act, including health information collected by a covered entity under HIPAA; sales of personal information to or from a consumer reporting agency if it is for a consumer report and use of the information is limited by the federal Fair Credit Reporting Act; personal information under the federal Gramm-Leach-Bliley Act; and personal information under the Driver’s Privacy Protection Act of 1994. Businesses who hold data that is excluded under the Act should be aware that the Act may still apply to other non-excluded data held by the business.
Businesses should begin preparing for implementation of the Act well in advance of January 1, 2020. The first step is for a business to determine if it is subject to the Act and, if so, which data held by the business is subject to the Act. While this may sound like a simple task, businesses should conduct a thorough review of the types and locations of data held, and make the determination of whether some or all of that data is subject to the Act. If a business will be subject to the Act, it will need to develop and implement a plan of compliance with respect to the regulated data.
It is yet unknown if other states will follow California’s lead in enacting broader privacy protections for their residents. If so, that could present increasing challenges for businesses who may need to comply with differing state requirements. While at various times there have been discussions in Washington D.C. about a federal approach to privacy, to-date none has been enacted and none seems close to potential enactment.
Karilynn Bayus is a partner at Saul Ewing Arnstein & Lehr LLP in its Philadelphia office, a member of the Firm’s Cybersecurity and Privacy Practice and Vice Chair of the Firm’s Health Care Practice. Karilynn regularly counsels clients, writes and speaks on HIPAA and other data privacy and security issues affecting the health care industry.