THE CHANGING LANDSCAPE OF ONLINE PRIVACY – A CLOSER LOOK AT CCPA
In a recent unpublished opinion, the Ninth Circuit upheld a lower court’s dismissal of a case against Facebook alleging violations of various federal and state laws related to internet privacy and Facebook’s collection of browsing data. Although this was an apparent victory for Facebook, it is important to understand that the statutory landscape related to internet privacy is soon to change.
Beginning January 1, 2020, the California Consumer Privacy Act (the Act) will grant a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared. The Act imposes different duties upon a business depending on whether the business is simply collecting personal information or collecting personal information with the purpose of selling to a third party. Businesses that violate applicable portions of the Act may be subject to separate civil actions by both consumers and the California Attorney General.
As with most statutes, the Act has an extensive definition section that must be reviewed and understood if any meaningful steps toward compliance are to be taken. Along with definitions for “consumer”, “collect”, and “sell”; businesses must pay close attention to the type of information the Act considers to be personal information. Personal information includes; but is not limited to, biometric information, geolocation data, online identifiers, and internet protocol addresses. Along with the defined terms, businesses must know what duties the Act imposes in order to avoid pitfalls. In reviewing the legislation, I found five key themes for compliance plans:
#1 TELL CONSUMERS WHAT INFORMATION YOU’RE COLLECTING
A business that collects a consumer’s personal information must inform those consumers of the types and purpose of information collected. Notice by the business to the consumer that information is being collected must be done at or before the point of collection. Consumers have the right to request that a business disclose the categories of personal information it has collected, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting or selling personal information, and the specific pieces of personal information it has collected about the consumer – all over the previous twelve month period.
Businesses that collect information must make available two or more methods for submitting requests for information to be disclosed. At a minimum, the business must have a toll-free telephone number and a website address (if the business maintains a website).
#2 GIVE CONSUMERS AN EASY OPT-OUT
Consumer’s have the same right to request information from businesses when the business is engaged in the sale of a consumer’s personal information. If a third party wishes to engage in a subsequent sale of the consumer’s information, a consumer must first be provided explicit notice of the sale and offered the right to opt-out. This right to opt-out can also be exercised by the consumer against the business itself.
Businesses that engage in the sale of personal information must provide a clear and conspicuous link on the website’s homepage titled, “Do Not Sell My Personal Information.” The link shall allow a consumer to opt-out of the sale of their personal information. Furthermore, the business cannot require the consumer to create an account on the website in order to exercise the consumer’s rights.
#3 UPDATE YOUR PRIVACY POLICY
Whether engaged in the sale of data, or just the collection, businesses must make consumers aware of their rights under the Act in the businesses online privacy policy and any California-specific description of consumer privacy rights. Also within the privacy policy, the Act mandates businesses put a second, separate link to the “Do Not Sell my Personal Information” website.
#4 UNDERSTAND THE LIMITATIONS
The Act does not prohibit all collection or sale of personal information. Businesses can collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information. Furthermore, the Act contains a preemption clause, meaning, that if a Federal statute is passed that governs the same conduct, then the Federal law controls and the Act cannot be enforced.
The Act identifies certain circumstances in which a business is not required to comply with a consumer’s request. These circumstances include, but are not limited to, instances where the business must maintain the information to complete the transaction for which the information was collected, to enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business, or to otherwise use the consumer’s personal information, internally, in a lawful manner.
#5 GET EXPERT ADVICE
Businesses have 30 days to cure violations of the Act; however, failures to comply are enforced by the California Attorney General via civil penalties in the amount of $2,500 for each violation or $7,500 for each intentional violation. The Act also grants citizens a private righty of action. Under this provision, a consumer can be awarded damages, actual damages, injunctive relief, or any other relief the court deems proper.
The California Consumer Protection Act will require businesses servicing residents of California to notify consumers of their rights to know what information is collected about them and to opt out if that information is then sold to third parties. Businesses should consult with experienced legal counsel in order to understand the implications of the Act to their business model and to help achieve compliance under its terms.
Has your business started to plan for CCPA compliance? What impacts do you foresee for the future of internet privacy?
Matt Lawhon
Owner
M B Lawhon Law PLLC