In May 2018, the European Union’s sweeping data privacy regulation, the General Data Protection Regulation (“GDPR”), went into effect. Ever since, companies in the United States have been trying to figure out whether they are subject to the GDPR and if so, how to implement its requirements – neither of which is straightforward. Some companies may conclude that they need not worry about the European regulation because it is unlikely a European enforcement agency would ever seek to enforce the GDPR against them. In late June 2018, however, the State of California passed the California Consumer Privacy Act of 2018, which brings some of the aspects of GDPR closer to home and establishes California as the most protective state in the country when it comes to data privacy. Companies in New England that sell products or services to residents of California may be subject to this new law, which takes effect on January 1, 2020. The types of data subject to the new California statute run the gamut – from water and energy consumption, to employee job descriptions, to IP addresses, to web browsing histories.
Like the GDPR, the California Consumer Privacy Act of 2018 allows residents of California to determine what information businesses collect, request that the information businesses possess be deleted, and direct businesses to stop selling data about them. Businesses must also get consumers’ consent before collecting and storing data about them. Obtaining informed consent will require a complete and thorough disclosure of the types of information that will be collected and how it will be used. While businesses cannot deny their products and services to consumers that do not consent to the collection of data, the California law allows businesses to offer different levels of service or charge different rates depending on whether a consumer allows the collection of data. Businesses may be forced to justify the difference in levels of service or rates, however. The law empowers the California Attorney General to enforce compliance and gives consumers the right to file suit and obtain damages against businesses that fail comply.
Companies that are subject to the new California law will need to implement procedures to allow consumers to opt out of data collection or inform the companies that they may not sell consumers’ data and deal with requests to delete data. As with the GDPR’s right to be forgotten, companies may find it difficult to truly purge all data on a specific consumer, particularly from backup repositories. All of these processes and procedures will need to be accurately described in updated written privacy policies.
Not all companies in New England will be subject to the California statute because it, unlike the GDPR, contains objective tests to determine whether a company is subject to the statute. The statute applies only to those companies with annual gross revenues of at least $25 Million; obtain information on at least 50,000 California residents, households or devices annually; or derive 50% or more of their annual revenue from selling information on California residents. There is an exception for companies that can prove their commercial conduct takes place wholly outside California, but the term “doing business” is interpreted very broadly. Repeated transactions occurring in California will likely trigger the new data privacy law.
Regardless of whether New England companies are directly subject to the California statute, its passage may cause ripples across the country. It is possible that the California statute will set a standard that will sweep across the country and cause other states to pass similar legislation to protect their residents. It may be prudent for New England companies to begin to examine how they would comply with more stringent data privacy laws.
The landscape of privacy laws continues to change. Companies should monitor these developments closely and audit their practices to ensure compliance.
J.P. Harris is a shareholder at Sheehan Phinney Bass & Green.
This article is intended to serve as a summary of the issues outlined herein. While it may include some general guidance, it is not intended as, nor is it a substitute for, legal advice.