Have you heard about California’s big new privacy law? The “California Consumer Privacy Act of 2018” (the “Privacy Act”; Cal. Civil Code § 1798.100 et seq.) goes into effect in January of 2020. Significant media coverage surrounding the new law has led many businesses – Terrapin included – to question whether and how the law may apply to them. Terrapin has analyzed the new law and while we do not expect it will affect our clients from an operations or business perspective right now, we feel it’s important to understand how it may impact you personally.

What Is The Privacy Act About?

The Privacy Act is intended to give consumers greater control over personal information that businesses collect about them. The legislative findings in support of the law refer to the proliferation of personal information in the digital and Internet age, and the increasing difficulty people have controlling the use of such information. Remember the 2018 Facebook-Cambridge Analytica scandal? That is cited as one example and motivator for the new law. The Privacy Act is frequently compared to the EU General Data Protection Regulation (Regulation (EU) 2016/679), commonly referred to by its initials “GDPR.”

What Information Is Covered By The Privacy Act?

The Privacy Act defines personal information broadly – information “that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”  Cal. Civil Code § 1798 .140(o).  This information includes:

• Names
• Addresses – postal, email, and Internet Protocol (“IP”) addresses
• Social security numbers
• Account names
• Drivers license numbers
• Passport numbers
• Biometric information
• Internet activity (browsing history, search history, and info regarding a consumer’s interaction with a website, app, or advertisement
• Geolocation data
• Audio/visual information
• Professional or employment related information
• Education information
• “Inferences drawn” from such information to create a “profile” about a consumer reflecting their preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes

Id.  Personal information does not include information that is “publicly available,” such as information “lawfully made available from federal, state, or local government records,” or consumer information that is “deidentified or aggregate” in nature.  Cal. Civil Code § 1798.140(o)(2).

What Businesses Are Covered By The Privacy Act?

Again, Terrapin does not expect that the Privacy Act will impact our clients from an operations or business perspective. It applies to for-profit businesses that: 1) do business in California; 2) collect, or have collected for their benefit, consumers’ personal information; 3) participate in the determination of the purposes and means of the processing of such personal information; and 4) satisfy one or more of the following thresholds:

• Have annual gross revenues in excess of twenty-five million dollars ($25,000,000);
• Annually buy, receive, or share, for commercial purposes, the personal information of 50,000 or more consumers, households, or devices; or
• Derive 50 percent or more of their annual revenues from selling consumers’ personal information.

Cal. Civil Code § 1798.14(c)(1).

What Are Consumers’ Rights Under The Privacy Act?

The Privacy Act provides consumers three basic “rights” regarding their personal information:

• The right to know what personal information a business has collected about them; the sources of that information; what that information is being used for; and if and to whom that information has been sold. Civil Code §§ 1798.100(a), 1798.110(a), 1798.115(a)
• The right to “opt-out” of having their personal information sold. Civil Code §§ 1798.120.
• The right to request that a business delete any personal information about the consumer which the business has collected from the consumer. Civil Code § 1798.105(a).

Though not couched as a consumer’s “right,” the Privacy Act prohibits a business from discriminating against a consumer who exercises any of their rights under the Privacy Act, such as by denying goods or services to the consumer, or charging a different price for those goods or services, or offering a different level of quality of goods or services.  Cal. Civil Code § 1798.125.

What Happens If A Covered Business Violates The Act?

A business covered by the Privacy Act that violates it can be subject to civil penalties pursued by the Attorney General. Cal. Civil Code § 1798.155(b). The business can also be subject to lawsuits for statutory or actual damages brought by consumers whose personal information is disclosed by a theft or hack against the business. Cal. Civil Code § 1798.15.

Some Takeaways…

Regardless of whether or not you determine the Privacy Act applies to your business, it is significant new legislation that is sure to receive continued attention as it comes into effect and enforcement actions are pursued under its provisions. Depending on the law’s success (or failure), it may lead to further privacy related laws that are even broader in scope and reach.