California Consumer Privacy Act of 2018 – A U.S. Version of EU’s GDPR

Posted by:

The California Consumer Privacy Act of 2018, regarded as the most comprehensive privacy law in the United States, was unanimously passed by the California legislature and signed into law by governor Jerry Brown on June 29, 2018. The bill (AB 375) was fast-tracked through the State Senate and Assembly in a rush to defeat an even stricter privacy ballot initiative, which was introduced by Californians for Consumer Privacy. After weeks of intense negotiations with technology companies, Californians for Consumer Privacy agreed to withdraw the initiative if AB 375 was signed into law.

The  new law, which takes effect January 1, 2020, is a reactive measure to recent privacy and data breaches, including the Cambridge Analytica scandal, and governs the use of California consumers’ data by larger companies. Businesses are required to disclose the categories of information to be collected prior to collection, as well as the identity of third-parties that are allow to access that information. Consumers also have the right to request the data that has been collected on them and may also request that the data be deleted. While consumers over 16 years old may opt out of having their data sold to third-parties without being penalized, businesses are prohibited from selling data collected from consumers under 16 years old unless these underage consumers affirmatively opt-in. The bill also gives California consumers the right to sue for up to $750 in the event of a data breach involving non-encrypted personal information due to the failure to implement and maintain reasonable security procedures and practices.

While this California law is the strictest in the nation, it is less restrictive than the EU GDPR.  For example, the GDPR requires consumers opt into, or give consent, by “clear affirmative action,” prior to the collection of personal data, whereas the California law only requires disclosure prior to the collection of personal data and allows them to opt-out of the sale of personal data. Most importantly, the GDPR requires any business that offers goods or services to consumers in the EU and collects any personal data from those EU residents to comply with the GDPR, while the California law only applies to companies that do business in California and satisfy one of the following criteria: (1) have an annual gross revenue exceeding $25 million; (2) in connection with a commercial purpose, annually buy, receive, sell, or share the personal information of 50,000 or more consumers; or (3) derive 50% or more of its annual revenues from selling consumers’ personal information.

The California Consumer Privacy Act may not remain in final form as passed. Tech companies have already expressed their desire to lobby legislators to change certain provisions of the law which they believe will result in unintended consequences. Lawmakers are expected to make amendments to the bill over the course of the next 18 months.

Conkle Kremer & Engel will continue to monitor the status of the California Consumer Privacy Act and will report on changes to the final version of this law, if any. CK&E has many years of experience advising clients about regulatory compliance issues they face, and helping them prepare for foreseeable changes in the law.

 

0

GDPR is Coming: If Your Business is Online, Beware the New EU Privacy Regulation

Posted by:

If you sell or offer goods to EU residents, even from the U.S., it is now necessary to re-examine your data processing and privacy procedures. There is a new EU privacy law that will go into effect on May 25, 2018, with significant penalties for violations. The EU General Data Protection Regulation, or “GDPR,” covers any website, including a U.S.-based website, selling to EU residents and processing personal data of those EU residents.  Here are some basic questions and issues to address concerning your online presence:

Do you collect, store, or use Personal Data? You are subject to this regulation if your website collects, organizes, stores, disseminates, uses or otherwise processes personal data of EU residents, regardless of where your website keeps or uses such information.

“Personal Data” will likely be broadly interpreted. The GDPR defines “Personal Data” very broadly to include any information that can be used to identify an individual. This can include all sorts of data, like names, e-mail addresses, office addresses, and even IP addresses.

Can your users easily revoke consent? The GDPR takes consent seriously. The GDPR requires you to demonstrate consent was “freely given, specific, informed and unambiguous” by a “clear affirmative action” on the part of the user for the processing of personal data. When you ask for the user’s consent, you must articulate “specified, explicit, and legitimate purposes” for processing the data. Limit the data you collect to what is necessary to achieve these articulated purposes. Be extra careful if you are collecting sensitive personal data – the GDPR raises the bar for obtaining consent to process “special categories of personal data.” And make sure it is as easy for the user to withdraw consent as it is to give consent.

Can you respond quickly and effectively when the user exercises rights under the GDPR? The GDPR grants users, or “data subjects,” quite a few rights, including but not limited to knowing where and why you are taking the data and anything that happens to it, objecting to its collection or use, obtaining a copy of it, correcting or erasing it, or restricting its use. Make sure you have procedures in place to respond appropriately in the event a user exercises rights under the GDPR.

Penalties for failure to comply can be steep. Failure to comply with the GDPR can expose companies to administrative fines of up to 20 million Euros or 4% of the total worldwide annual turnover of an “undertaking” of the preceding financial year, whichever is greater. Even if you use vendors to process your data, you are still responsible for monitoring compliance. You are required to “implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.”

The EU GDPR is a minefield of regulatory requirements that require a close examination of your data processing and privacy procedures. Some companies, such as Microsoft, are implementing a single system worldwide to comply with the EU’s requirements, effectively granting greater-than-required  rights to non-EU residents.  There will likely be considerable uncertainty and confusion as the GDPR requirements are implemented and enforcement begins.  Contact Conkle, Kremer & Engel to help bring your data processing and privacy procedures into compliance.

0