Hello from deep in the Maine woods!
There's a Rufus Wainwright song I've always liked, called "California," that seems pretty apt today. "California," he sings, "it's such a wonder that I think I'll stay in bed."
For those of you just off a GDPR sprint, this new California Consumer Privacy Act we've been handed this morning might be enough to get you pulling up the covers and sticking your head under the pillow. Especially those of you, like me, who had a little R&R planned for the coming Fourth of July week. Really, there's nothing quite so relaxing as barbecuing in the backyard and poring over legislative text, right?
We'll have the full analysis of the bill for Monday, but in the meantime, here are the highlights:
• Consumers will have the ability to request a record of what types of data an organization holds about them, plus information about what's being done with their data in terms of both business use and third-party sharing.
• You'll have to have a verification process so consumers can prove they are who they say they are when they do their requesting.
• This institutes a full right to erasure, with carve-outs for completion of a transaction, research, free speech and some internal analytical use.
• Organizations will have to disclose to whom they sell data and consumers will have the ability to object to the sale of their data to any third party. And you have to make it easy to object, with a special "Do Not Sell My Personal Information" button. Yes, really.
• Sale of children's data will require express opt-in, either by the child if between ages 13 and 16, or by the parent if younger than that.
• Organizations cannot "discriminate against a consumer" based on the exercising of any of the rights granted in the bill. For example, you can't provide a different level or quality of service based on a consumer objecting to the sale of their data. However, organizations could offer higher tiers of service or product in exchange for more data as long as they're not "unjust" or "usurious."
• A "business" is defined as any for-profit entity that either does $25 million in annual revenue; holds the personal data of 50,000 people, households or devices; or does at least half its revenue in the sale of personal data. That's a lot of companies in California.
• The law would be enforced by the attorney general and create a private right of action for unauthorized access to a consumer's "nonencrypted or nonredacted personal information." Failure to address an alleged violation within 30 days could lead to a $7,500 fine per violation (which could be per record in the database, for example).
• Finally, the law applies to any "consumer," defined as a "natural person who is a California resident," which is defined as "(1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose."
The relatively good news is that the law doesn't go into effect until Jan. 1, 2020, and many legislators and others involved with the bill seem to be saying that they may want another bite at the apple by amending the law before that time. It's possible that some features of the law change considerably before it comes into force. But you certainly have some time to prepare, and the IAPP will be right there with you, with all kinds of helpful information to help you operationalize what stands to be a very important piece of privacy legislation, indeed.
Happy Fourth of July!
Sam