The California Consumer Privacy Act of 2018 (CaCPA) seemed to appear out of nowhere as it passed the desk of Gov. Jerry Brown. Since we’d be hard pressed to find a business that doesn’t somehow collect data – and because many businesses today do also financially profit from the sale of consumer data – this new California data privacy law may affect half a million businesses across the United States. To help you navigate, we’ve put together a guide of everything you need to know about the California data protection law.
Update: The first set of amendments to the law were passed Aug. 24. There are 45 amendments in the revised bill, but many of them address technical errors.
Table of Contents
What Law Are We Talking About?
The California Consumer Privacy Act of 2018 (AB 375) was signed into law June 28, 2018, by California Gov. Jerry Brown. It’s being described as landmark policy, and is the first major data privacy law passed in the United States. Broadly, it guarantees Californians the right to:
- Know what personal information is being collected about them
- Know whether their personal information is sold or disclosed, and to whom
- Access their personal information
When Does It Take Effect?
The law will go into effect Jan. 1, 2020. However, it’s expected that the law will be amended before that date to fix ambiguities and other issues arising from the one-week turnaround from draft to law.
Why Is This Significant?
Salesforce.com CEO Marc Benioff applauded the new law, saying it could help ease the “crisis of trust” between the technology industry and consumers. He also spoke in support of a national privacy law similar to the EU’s recent General Data Protection Regulation (GDPR).
“Our customers’ data belongs to them,” Benioff said. “It’s their data. I think in some cases, companies that are startups and next-generation technologies here in San Francisco, they think that data is theirs.”
The passage of the CaCPA is significant for several reasons:
- Consumers have become more aware lately of how little control they have over their data. Facebook’s Cambridge Analytica scandal and other privacy missteps likely contributed to the social network’s recent 20+ percent stock plummet. Google has repeatedly faced FTC scrutiny over user privacy violations, and paid $22.5 million over its use of activity-tracking cookies on users of the Apple Safari web browser. People around the world are beginning to see the impact of a data-for-service model, and grassroots movements are aligning with legislative power to return control of their data to their own hands.
- The sweeping protection of the GDPR went into effect on May 25, 2018. As with the CaCPA, the GDPR protects EU citizens and residents but applies to any company, worldwide, that collects, stores, or sells personal data from the EU.
- California has often led the way in codifying privacy protections. In 2002, it enacted the first U.S. laws requiring notifications of data security breaches, and in 2004, the first law requiring website privacy policies. In fact, there are roughly 25 existing privacy laws in California. Many believe the CaCPA could be the first among many in other states, and potentially open the door for national privacy legislation.
- Many of the world’s technological juggernauts are headquartered in California, with Silicon Valley the birthplace of innovation for Google, Facebook, and many others. It’s notoriously tough to fight the tech giants – last year, CaCPA co-author Assemblyman Ed Chau, tried to push a bill requiring internet service providers to seek permission from customers before accessing, selling, or sharing their browser activity. The bill never made it out of committee. The fact that the CaCPA became law, and so quickly, speaks to its widespread popular support and the pressure constituents are placing on their legislators to take action.
Where Did This Law Come From?
The CaCPA was pushed through in just one week’s time and signed hours before the close of the 2017-18 California legislative session – incredibly quick for legislation with such widespread ramifications. The push was in response to a much stricter ballot initiative backed by San Francisco real estate developer Alistair Mactaggart.
Mactaggart says he decided to take on the privacy issue after a Google engineer told him consumers have no idea just how much data online companies have collected on them. Supported by $3.5 million of Mactaggart’s own funds, initiative measure No. 17-0039 received more than 629,000 signatures, which exceeded the amount required to put the issue on the November 2018 ballot.
Mere days before Mactaggart could certify the signatures, California Democrats agreed to push a compromise bill in exchange for dropping the initiative. While tech industry lobbyists are no fans of the CaCPA, the industry agreed not to oppose the bill since the much less favorable ballot initiative had a good shot of passing among voters later this year.
While the ballot initiative is similar to the CaCPA, there are some notable differences:
- CaCPA moves the effective date from August 2019 to Jan. 1, 2020.
- The CaCPA can be modified by the California legislature by a simple legislative minority, while the ballot measure would have required either another voter ballot or a 70 percent legislative majority. What’s more, the only modifications the original initiative would have allowed were those that were “consistent with and further the intent of this Act.”
- The CaCPA makes it more difficult for consumers to sue noncompliant businesses, putting most of the enforcement action in the hands of the state Attorney General.
- The CaCPA affects more companies, as it lowered the threshold to apply to businesses with $25 million annual revenue – half of the $50 million threshold floated by the ballot initiative
Is the CaCPA Similar to the GDPR?
The most recent headliner in privacy regulation was the GDPR, and many are comparing the CaCPA to the EU’s landmark act. Still, the CaCPA is not as sweeping, and it’s different in key ways.
Most notably, U.S. businesses may believe that any GDPR-related compliance measures will put them into compliance with the CaCPA. This is not the case. When compared with the GDPR, the CaCPA:
- Requires disclosures, communication channels, and other measures not required by GDPR.
- Defines “personal data” more broadly, and includes data on households and devices – not just individuals.
- Gives Californians greater rights to direct data deletion and to access personal data
- More rigidly restricts data sharing for commercial purposes
- Makes it more difficult for companies to offer a choice between for-charge and charge-free services based on whether the consumer gives informed, voluntary, specific, and express consent to data monetization.
Who Does the CaCPA Protect?
The law applies to any consumer, defined as a “natural person who is a California resident.” This is further defined as:
- Any individual in the state for any purpose that’s not transitory or temporary
- Any individual who is domiciled in the state but currently or occasionally outside the state for a temporary or transitory purpose
This means that consumers traveling or with partial residence in other states would be protected, so long as their domicile is California. It also means the law applies to business-to-business (B2B) companies as well as business-to-consumer (B2C).
California has the fifth-largest economy in the world – just ahead of the United Kingdom ($2.747 trillion versus $2.625 trillion, respectively) – and 40 million residents. That offers broad protection for a huge portion of the world’s population.
What Does the CaCPA Protect?
The law gives consumers the right to…
- Request a record of the types of data an organization holds about them, along with information about how that data is used for business purposes and third-party sharing
- Request to have their data erased
- Object to the sale of their data
What Businesses Must Comply with the CaCPA?
A covered “business” is defined as a for-profit entity that meets one of the three following conditions:
- Earns $25 million or more in annual revenue (it’s not clear whether this is California revenue, or global sales)
- Holds the personal data of at least 50,000 people, households, or devices
- Obtains at least half of its revenue selling personal data
According to the IAPP, it must also meet all of the following conditions:
- A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized and operated for the profit or financial benefit of shareholders or other owners
- Collects consumers’ personal information, or has someone collect it on its behalf
- Alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information
- Does business in California
Any entity passing this test will be subject to the law, regardless of its geographic location. It’s estimated the law will apply to more than 500,000 U.S. companies, most of which are small- to medium-sized. It will also impact businesses outside the U.S., as long as they do at least part of their business in California.
One exception is a business where commercial conduct “takes place wholly outside of California.” This is the case when:
- The business collected information while the consumer was outside of California
- No part of the sale of the consumer’s personal information occurred in California
- There was no sale of the personal information collected while the consumer was in California
How Do I Know if I Collect or Sell Information?
The law considers a business to “collect” personal information if it buys, rents, gathers, obtains, receives, or accesses it by any means. This can be active or passive, and could even be obtained by observing a consumer’s behavior.
When it comes to selling, it’s not as clear-cut as simply trading data for cash. Simply disclosing data to a third party, so long as it results in financial gain, is activity subject to the law. Under CaCPA, a business “sells” personal information when it sells, rents, releases, discloses, disseminates, makes available, transfers, or otherwise communicates it orally, in writing, or by electronic or other means for “monetary or other valuable consideration.” The law contains exclusions for:
- Consumer consent
- Communicating a consumer’s opt-out instructions to a third party
- Data transfers during mergers, acquisitions, bankruptcies, etc
It also excludes data used for any of seven specific business purposes:
- Counting ad impressions
- Detecting security incidents
- Debugging and repairing functionality
- Short-term, non-profiling transient use
- Performing services on a business’s behalf (e.g., “data processor” activities like fulfilling orders or processing payment)
- Internal research for technological development
- Verifying or maintaining the quality and safety of the business’s service or device
How Does the CaCPA Apply to Third Parties?
The CaCPA states under Section 1798.145 that a business is not liable for a service provider’s violation as long as the business has no “actual knowledge or reason to believe that the service provider intends to commit such a violation.” Service providers are similarly not responsible for their customers’ violations.
How Does the CaCPA Define “Personal Information?”
The CaCPA’s definition of personal information extends far beyond that data typically included in the definition of PII, though it does track more closely with the broader list in the GDPR. It’s defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” And while it certainly includes the information typically included under PII, it also includes:
- IP addresses
- Characteristics of protected classifications under California or federal law
- Commercial information (i.e., personal property records, purchasing history)
- Geolocation data
- Internet activity (i.e., browsing and search history, web tracking data)
- Professional and employment information
- Education information
- Audio, electronic, visual, thermal, olfactory, or similar information
- Inferences drawn from any of the information contained in the definition
The Aug. 24 amendments clarified this list by adding that the law doesn’t cover any and all instances of this PII — only that PII that “identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.
To the extent that it conflicts with the following laws, the CaCPA does not encompass
- Protected health information collected by a covered entity as defined under federal laws, including HIPAA
- The sale of information to or from a consumer reporting agency for use in a consumer report consistent with the Fair Credit Reporting Act
- Personal information collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act or the Driver’s Privacy Protection Act of 1994
It may be possible to avoid the law’s scope by de-identifying or pseudonymizing personal information for research or internal analytics purposes. The CaCPA may also not apply to collection for a single, one-time transaction as long as the collected data is not then sold or re-identified. The law is ambiguous on these points, however.
What Must Businesses Do to Comply With the CACPA?
The first obligation businesses have under CaCPA (in its current state) is the disclosures. Any disclosures need to be “reasonably accessible” to consumers and updated every 12 months.
Disclosures for collecting data
Businesses collecting (but not necessarily selling) California consumer information must do the following by Jan. 1, 2020:
- Inform consumers of the categories of personal information to be collected
- Inform consumers of the purposes for which the categories of personal information should be used
- Provide notice of the collection of any additional categories of information or use of collected information for any additional purposes taking place after initial disclosures have been made
- Disclose the consumer’s rights to request deletion of personal information, including limitations to those rights
Disclosures for selling data
For businesses selling personal information about consumers or “disclosing it for a business purpose,” there are additional disclosure obligations. First, in addition to the above, they must release two specific lists:
- The category or categories of personal information sold in the last 12 months (if it has not been sold, that fact should be stated)
- The category or categories of personal information disclosed for a business purpose in the last 12 months (if it has not been disclosed, that fact should be stated)
They must also disclose that:
- Consumer information may be sold
- Consumers have the right to opt out of the sale of their personal information
As well as:
- Provide a clear and conspicuous link on the business’ homepage titled “Do Not Sell My Personal Information”
- Ensure any consumer can access the link, without requiring the creation of an account
- A description of the consumer’s rights to not be discriminated against for restricting the sale of their data
- Include a description of a consumer’s rights under Section 1798.120 and an additional link to the “Do Not Sell My Personal Information” page in:
- Any California-specific description of consumer privacy rights
Businesses must also have – and clearly post — one or more ways for consumers to submit requests, including, at the bare minimum, a toll-free number
Finally, they must obtain an express opt-in to sell children’s data. If the minor is between 13 and 16, the child may opt-in themselves; if they are younger than 13, the parent or legal guardian will need to opt in for them.
How Will the Law be Enforced?
The California Attorney General will enforce the law.
What Is the Penalty for Noncompliance?
For intentional violations not addressed within 30 days, the fine is $7,500 per violation (e.g., per record in the database). Unintentional violations not addressed within 30 days are subject to a $2,500 penalty per violation. Twenty percent of the penalties collected by the State will be allocated to a new “Consumer Privacy Fund.”
Legislators have already said they expect to pass “cleanup” bills to make fixes to the CaCPA. The technology industry is also likely to seek certain modifications to the bill. For its part, the Internet Association lobbying group has dubbed CaCPA a “last-minute” deal that must be corrected.
“Data regulation policy is complex and impacts every sector of the economy, including the internet industry,” the group said. “That makes the lack of public discussion and process surrounding this far-reaching bill even more concerning. …It is critical going forward that policymakers work to correct the inevitable, negative policy and compliance ramifications this last-minute deal will create for California’s consumers and businesses alike.”
On the other hand, some privacy advocates say the CaCPA lacks the original measure’s strength. They are also concerned that lobbyists will use the 18-month gap to water down the bill. Mactaggart himself, however, has called these concerns “overblown.” He noted that the ballot measure was polling around an 80 percent approval rating before he withdrew it in the wake of CaCPA’s passage. This points to a strong imperative from constituents to protect their personal data, which means legislators would be under a high level of scrutiny for any changes that appear to favor the lobbyist side.
In addition to watching for potential changes to the bill between now and 2020, businesses should take careful note of any supporting or complementary regulations adopted by the California Attorney General’s office, as encouraged under Section 1798.185(a)(1).
In the meantime, affected businesses can take the following steps to prepare for Jan. 1, 2020:
- Businesses selling or transferring data for business purposes should inventory all third parties receiving their data. Pay special attention to requirements for “business purpose” transfers, including the duty to inform consumers when such transfers have not taken place.
- Map and inventory all personal information you collect, use, and store. You’ll also need to map the age of your data subjects to avoid charges that you willfully disregarded the California resident’s age when obtaining opt-in from the minor or their parent/guardian.
- Begin updating privacy policies, California-specific rights pages, and “Do Not Sell My Information” apparatus (if the latter applies).
- Consider alternative business models and web/mobile presences, such as California-only sites and offerings.
- Ensure you have a designated method for submitting data access requests, including, at a minimum, a toll-free number.
- Begin funding and implementing new systems and processes that can help you comply with new requirements, including:
- Verifying the identity and authorization of persons making requests for data access, deletion, or portability
- Respond to requests for data access, deletion, and portability within 45 days
- Avoid requiring opt-in consent for 12 months after a California resident opts out
- Monitor your cloud-based and mission-critical applications like Salesforce to ensure any potential breaches or data theft are quickly spotted and remediated. This can help businesses mitigate the cost of a breach by protecting against the CaCPA’s penalty of up to $750 per resident and incident.
- Consider aligning yourself with the data privacy movement as a business owner. Check out the resources below for an overview of the issue of data privacy and the potential regulatory and operational impact for affected businesses. Take the opportunity to assess how you’re collecting and handling data and how easy it is to fulfill a consumer’s request. The CaCPA doesn’t require privacy awareness training like the GDPR, but it can be a good opportunity to assess your existing training and implement new training if necessary. That way, all involved team members understand the steps you’re taking to secure your customers’ and contacts’ data.
- The text of Assembly Bill 375 (The California Consumer Protection Act of 2018)
- California Consumer Privacy Act website
- International Association of Privacy Professionals
- Global Data Protection Laws of the World