Companies that are getting acclimated to the European Union’s General Data Protection Regulation (GDPR) have a new and just as significant compliance challenge to confront: The California Consumer Privacy Act.

Signed into law in June, the California Consumer Privacy Act will change the way companies both inside and outside the state manage consumers’ personal data by conferring a new set of rights on consumers, and a new set of responsibilities on the companies that handle their data.

Doubt California’s influence?  When is the last time you bought a car that wasn’t compliant with California emissions standards? The new rules will affect a wide range of companies both inside and outside the U.S. The good news is, there is time to prepare. The act won’t take effect until Jan. 1, 2020 and enforcement won’t begin until at least six months after the Attorney General publishes rules implementing the law, or July 2020, the deadline for such rules to be completed, whichever comes first.

What follows is a short summary of the law, and how it will affect businesses with exposure to California residents.

Who is subject to the law?

In short, the act applies to for-profit entities that collect and process California residents’ personal information and do business in the state. A physical presence in California is not a requirement. In addition, the entity must meet at least one of the following criteria:

• Generate annual gross revenue > $25 million
• Receive or share data of > 50,000 California residents annually
• Derive at least 50 percent of annual revenue by selling residents’ personal information

Non-profits and companies that don’t meet any of the three above thresholds are exempt.

What is personal information?

The act includes a broad definition of personal information. It is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably linked , directly or indirectly, with a particular consumer or household.” Note the use of the term “household,” meaning the data does not have to be associated with a name or specific individuals. The act lists a wide range of standard examples that includes Social Security numbers, drivers’ license numbers and purchase histories, but also “unique personal identifiers” such as device identifiers and other online tracking technologies. Information that is publicly available and aggregated or de-identified data is excluded, as is medical or health information collected by a person or entity governed by California’s Confidentiality of Medical Information Act or  HIPAA.

What new rights are given consumers?

The law provides consumers with more control over their personal information in four ways:

• Knowledge: Consumers must be able to learn – generally through a publicly posted privacy policy and specifically by request – what personal information companies are collecting, how it is being collected and used, and whether and to whom it is being disclosed or sold.
• Sale of Data: Companies must make it easy for consumers to opt-out of having their personal information sold to a third party, and require consumers who are under 16 to opt-in in order to allow their information to be sold. Companies must post a “Do Not Sell My Personal Information” link on their homepages.
• Data removal: Consumers may request that companies delete their personal information and businesses must inform customers that they have this right. Businesses must comply with these requests and ensure the consumer’s data is also deleted by third party contractors. There are some exceptions, for example if the data is needed to complete a transaction.
• Service equality: For the most part, companies cannot discriminate against consumers who exercise their privacy rights. However, the act sows confusion by allowing companies to charge a different price or provide a different level of service to customers if “that difference is reasonably related to the value provided to the consumer by the consumer’s data.” Businesses can offer consumers financial incentives to allow data collection.

Disclosure Responsibilities

Increased disclosure will be a large part of compliance. Companies will need to proactively explain privacy policies to consumers when data is collected. That includes informing consumers of their rights under the Act, the sort of personal information collected, the ways that data is used and the types of personal data the company has sold to third parties in the last year. These disclosures must be updated every 12 months.

Private Right of Action

Opening the door to a potential flood of litigation, the Act provides consumers a private right of action if their data “is subject to an unauthorized access and exfiltration, theft or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices.” Consumers can file individual or class action lawsuits, and can recover between $100 to $750 in statutory damages per incident, or actual damages. It also allows consumers to seek injunctive and other forms of relief, and sets out different procedures for actions seeking actual versus statutory damages.

Penalities for Noncompliance

Companies that fail to comply with the act are subject to civil penalties of up to $2,500 per violation and $7,500 per intentional violation. Once notified of a violation by the Attorney General, companies have 30 days to come into compliance in order to avoid penalties.

How to Prepare

The Act has already been amended once, and may go through additional updates before it takes effect, but businesses should start to prepare now. Privacy policies, procedures and websites will need to be updated before it takes effect. Companies will want to catalog the types of data they collect and how that data is used.

[View source.]