By Jan Willem Knibbe
Introduction
With more and more countries introducing far reaching privacy laws, California has now followed suit and adopted the Californian Consumer Privacy Act, or CaCPA in short. Where the EU took years to adopt the GDPR, California was able to pass the law in record time — less than a week. There will be a transition period until January 1, 2020 allowing businesses some time to prepare their compliance with CaCPA.
California has always been in the forefront when it comes to data protection and privacy, with laws making it mandatory website have a privacy policy (CalOPPA) and enacted one of the first data breach notification laws in 2002.
The law aims to give Californian residents greater control on how organisation collect, use and disclose personal data. In this article we have a look at the scope of the law, the sanction of a breach and to what extent market researchers will be in scope or can benefit from derogations.
Whom does the law apply to
The law applies to any organisation doing business with a Californian resident. We’ll thus have a look what the law means by an ‘organisation doing business’ and when someone is ‘Californian resident’.
In order to determine whether your organisation falls into scope, CaCPA gives a list of criteria that should be met to qualify as a business. At least one the of the following three questions should be answered with yes:
- Are your annual gross revenues higher than $25,000,000?
- Do you derive 50 percent or more of your annual revenue from selling consumers’ personal information?
- Do you annually buy, receive for commercial purposes, sell, or share for commercial purposes, the personal information of 50,000 or more consumers, households or devices?
Furthermore, all of the following should be true:
- You are a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of your shareholders or other owners.
- You collect consumers’ personal information, or someone collects it on your behalf.
- You alone, or jointly with others, determine the purposes and means of the processing of consumers’ personal information.
- You do business in California.
The second question is who classifies as a consumer, which the law defines a “natural person who is a California resident, however identified, including by any unique identifier.” A resident is defined in Californian as (1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose.
The ‘Consumer’ in the title is thus a bit of a misnomer, as in fact all Californian residents fall under the definition, for example employees are also covered by CaCPA.
What is defined as personal data
Critical for any privacy law is what it defines as personal data. CaCPA defines it as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” For those familiar with the European data protection approach the definition of personal information should sound familiar but note the fact that it not just limited to persons, but households are also within scope of the definition. Think for example about energy consumption per household.
The right of citizens
If you are in scope of the law, it means that you will need to prepare for several rights that the Californian citizens will have under CaCPA:
- The right to know, through a general privacy policy and with more specifics available upon request, what personal information a business has collected about them, where it was sourced from, what it is being used for, whether it is being disclosed or sold, and to whom it is being disclosed or sold. The IAPP has provided a very helpful chart about what to disclose and where to disclose it which you can find here.
- The right to “opt out” of allowing a business to sell their personal information to third parties (or, for those who are under 16 years old, the right not to have their personal information sold absent their or their parent’s opt-in).
- The right to have a business delete their personal information.
- The right to receive equal service and pricing from a business, even if they exercise their privacy rights under the Act.
The law thus places a focus on transparency and requires you to explain where the personal information comes from, where it is stored, and where it is transferred to and who has access to it.
Enforcement
Enforcement is primarily the responsibility of the California Attorney General (AG), there is no sperate enforcement body created. CaCPA makes a distinction between intentional violations and unintentional violations, an intentional violation can be fined up to $7,500 per violation. An unintentional violation can be fined up to $2,500 per violation if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance. In additions, consumers whose personal information is affected by a breach could receive $100 to $750 per resident per incident regardless of whether actual damages are shown as a result from the breach.
Individuals can also take actions, but only where the AG has given the organization the opportunity to rectify the issue first and they must notify the California AG.
What about research?
CaCPA provides some derogation for research purposes, but the way research has been defined it is unlikely that the data, research and insights community can benefit from these exemptions. In particular, it requires that research with personal information shall not be used for any commercial purpose.
Getting ready for CaCPA
The following three key points should get your ready for the
Understand your data flows. To respond to consumer exercising their right to know, you will need to know:
- when and how you collect PI about California residents;
- where do you store that information and for how long; and
- with whom do you share that information.
Prepare for citizen’s user rights. Consider your internal systems and process to see if you are ready to honour the rights to access, deletion, and honouring opt outs (or opt-in for citizens under 16).
Update your public privacy statement. Make sure that the information you provide is accurate and discloses all the items CaCPA requires you to cover.