Whether you like it or not, 2019 is coming to an end. With 2020 at our doorstep, it’s time to face the music and start paying attention to another tune in the ever-changing cacophony that is privacy law in the United States.
On January 1, 2020, the California Consumer Privacy Act of 2018 (the “Act”) goes into effect. Here, I’d like to give you some overview of the Act. But first, its important to note that this law does not only apply to California businesses, but instead, to any business meeting certain thresholds pertaining to Californian residents. So, if you are a business in Texas, but meet the standards of the Act – then you must comply.
So, who has to comply with the Act?
The Act will apply to for-profit businesses that collect and control California residents’ personal information, do business in the State of California, and: (a) have annual gross revenues in excess of $25 million; or (b) receive or disclose the personal information of 50,000 or more California residents, households or devices on an annual basis; or (c) derive 50 percent or more of their annual revenues from selling California residents’ personal information.
Generally speaking, that means that smaller companies, and/or those that do not traffic in large amounts of personal information will not have to comply with the Act.
A company also is exempted from its compliance obligations under the Act “if every aspect of … commercial conduct takes place wholly outside of California,” meaning that: (1) the business collected the information from the consumer in question while he or she was outside California, (2) no part of any sale of his or her personal information occurred in California, and (3) no personal information collected while the consumer was in California is sold.
However, many companies will fall under the Act because they have “consumers” (California residents) among their customers, as described in further detail below.
Who is protected by the Act?
The Act requires that the protections listed above be made available to “consumers,” who are defined as California residents for tax purposes. Realistically, this makes it likely that companies with California-based customers, which are most companies operating to a substantial level on the Internet, will need to comply with the Act, and will need to update their privacy policies and Web sites in order to do so.
Now that we know who is covered, let’s talk about the Act itself.
What are the Act’s major provisions?
The Act “consumers” (defined as natural persons who are California residents) four basic rights in relation to their personal information:
- the right to “opt out” of allowing a business to sell their personal information to third parties (or, for consumers who are under 16 years old, the right not to have their personal information sold absent their, or their parent’s, opt-in);
- the right to have a business delete their personal information, with some exceptions; and
- the right to receive equal service and pricing from a business, even if they exercise their privacy rights under the Act.
The Act’s provisions are designed to put these rights into practice. The Act requires that companies make certain disclosures to consumers via their privacy policies, or otherwise at the time the personal data is collected. For example, businesses need to disclose proactively the existence and nature of consumers’ rights under the Act, the categories of personal information they collect, the purposes for which that personal information is collected, and the categories of personal information that it sold or disclosed in the preceding 12 months. In terms of compliance, these provisions will require companies to determine what personal data they are collecting from individuals and for what purposes, and to update their privacy policies every 12 months to make the disclosures the Act requires.
Companies that sell consumer data to third parties will need to disclose that practice and give consumers the ability to opt out of the sale by supplying a link titled “Do Not Sell My Personal Information” on the business’s home page. This is known as the right to “opt out.” The Act further provides that a business must not sell the personal information of consumers younger than 16 years of age without that consumer’s affirmative consent (or, for consumers younger than 13 years of age, without the affirmative consent of the consumer’s parent or guardian). This is known as the right to “opt in.”
Consumers also have the right to request certain information from businesses, including, for example, the sources from which a business collected the consumer’s personal information, the specific pieces of personal information it collected about the consumer, and the third parties with which it shared that information.
As you see, the Act is a fairly sophisticated and burdensome new law going into place. If you have not already been prepping for compliance with the Act, then now is the time.
About Harrison Oldham
Harrison grew up in Mansfield, Texas. He attended Texas A&M University for his bachelor’s degree, where he met his wonderful wife, Kelsey. After graduating magna cum laude from Texas A&M, he attended SMU Dedman School of Law, graduating with honors in 2012. Today, Harrison and his wife live in Dallas, Texas with their son, Teddy.
Since graduating from SMU Law, Harrison has worked exclusively in the field of business law. He has spent time in private practice and in-house, working with clients of every size; from single person startups to Fortune 250 companies. Today his practice focuses on serving the diverse needs of businesses and individuals throughout Texas. You can learn more about Harrison by visiting his website, at: http://