Even though the California Consumer Privacy Act (“Act”) will be effective January 1, 2020, the time to plan for compliance is now. It may seem as though you have plenty of time to prepare but it is a mistake to not get started immediately. Indeed with the twelve month lookback provisions, companies must have proper records of personal information that they collected as of January 1, 2019.
There are many nuanced questions to consider that may not be apparent on a cursory read of the Act. Some basic common questions arise when companies first hear about the Act, as follows.
Does the Act really apply to my small business?
The Act applies to businesses (and their parent and subsidiaries) that process information of California residents and have annual gross revenue exceeding $25 million or derive more than 50% of its revenue from sales of personal information. The Act also applies to businesses that handle personal information of 50,000 or more consumers, households, or devices. Setting aside the question as to how to allocate and account for information of a single household with multiple individuals, the Act would apply to businesses that collect information and have only 137 unique users a day. A typical website alone will easily meet this prong thereby becoming subject to the Act.
My business does not have an office in California, so am I still subject to the Act?
The Act applies to businesses that collect information from a “natural person who is a California resident,” meaning an individual in California other than for a temporary or transitory purpose (e.g. a tax paying resident) and every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose (e.g. if a California resident is on vacation in Hawaii). A business with no offices or connections to California that does not collect information from any California resident may not be subject to the Act.
I don’t think we really collect personal information. Does the Act apply?
Keep in mind that the Act defines personal information extremely broadly. Under the Act, personal information is data that is capable of being associated with a consumer or household, including, IP addresses, cookies, beacons and pixel tags that can be used to recognize a data subject, probabilistic identifiers and gait patterns. If you have a “Contact Us” form on your website or if your website tracks cookies, you are collecting personal information.
We do not collect personal information online, only offline. Does the Act apply?
Yes, the Act applies with respect to both online and offline personal information.
But the information we collect is all public. How is that information addressed?
There is a very limited exception for publicly available information. Publicly available information is information that is available from government records. So even if an individual’s corporate email address can be found on another website, if you collect that email address on your website that information falls within the scope of the Act.
My business is a non-profit. How does the Act affect me?
Even if you are a non-profit entity that is not a “business” subject to the Act alone, certain non-profit subsidiaries of for-profit businesses may mean that your non-profit must comply with the Act. Additionally, your service providers are likely subject to the Act and you must ensure that they comply with the Act.
Who are consumers under the Act? Are employees covered?
A “consumer” under the Act is defined broadly. A consumer is not only a customer or user of your services, products or websites. Your employees are also consumers. This is a shift from the norm of having a company policy that indicates there is no expectation of privacy in the workplace. Companies need to prepare internal privacy policies for their employees and provide their employees with the rights under the Act. Note that there is a pending amendment that may change the definition to include certain exceptions for employees and contractors.
Why do I have to prepare now?
The recordkeeping requirements require companies to have detailed records that are organized based on the Act’s categories with respect to personal information dating back to January 1, 2019. Detailed records and data maps must be prepared now to meet the Act’s recordkeeping obligations. Companies should inventory their information that they have collected since January 1, 2019. Businesses must publish their new privacy policies by the time the Act is effective, have systems, policies and procedures in place to manage user rights, and update their privacy policies annually. Note that we expect additional Attorney General guidance by Fall 2019 to clarify several areas of the Act.
If you have any questions regarding privacy and data protection, please contact Chiara Portner