This is Part 3 of our series on the California Consumer Privacy Act (the “Act”), which was signed into law just this year. Here is a link to Part 1 and here’s a link to Part 2. Here’s a link to the Act for your reference. As mentioned before, please keep in mind as you read through this and subsequent posts that they discuss the Act as originally passed and signed into law, and do not include discussion of any amendments to the Act (yes, there have been amendments already). Therefore, please understand that some of the provisions discussed may have already been changed. But don’t worry, we’ll be following up with updates. Ready? Let’s go!
Who’s Behind the Act?
Last time we talked about some of the history of privacy laws in the United States and California to give help give some context to the Act. This week we’re going to get back into the meat of the Act, so prepared to get a little dirty.
To start, let’s talk about how the Act actually came to be. The timing of the Act’s passage was pretty interesting actually. In one sense, it was kind of a rush-job. A San Francisco-based real estate investor, Alastair Mactaggart, spent millions of his own money to first try to negotiate a bill with the big-tech companies and, after making little ground, successfully got over 600,000 signatures in order to get a ballot initiative on California’s November 2018 ballot.
The tech industry, realizing the threat of a strict data privacy law was now imminent, decided it was time to listen. This is because once a California ballot initiative becomes law, it is very difficult to amend. And the industry wanted a say in the process.
So the tech industry and the ballot initiative sponsors compromised: If the Act was passed by the Legislature and signed into law by the governor by no later than June 29, 2018, the deadline to withdraw ballot initiatives, the sponsors would withdraw the initiative. Legislators quickly put the bill together, passed it, and it was signed by the Governor on June 28, 2018, without opposition from the tech industry.
By setting the effective date of the Act for January 1, 2020, the tech industry was given time to go to work on amending the Act (as are proponents of the Act). Indeed, this process has already begun in earnest (more on that later). And voila! Here we are. Now it’s a waiting game until the Act becomes effective. Until then, expect some changes (there have been!).
Who Does the Act Protect?
The Act protects and gives rights to “consumers”. So what is a “consumer”? The Act says that it is a “natural person who is a California resident”, and then uses a separate statute to define what a resident is. Under the separate statute, therefore, a California consumer would include:
Every individual who is in the State for other than a temporary or transitory purpose, and
Every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose.
California Code of Regulations, Title 18, Section 17014, provides further explanation and examples about what would make someone a “resident” under this definition.
Based on this definition of California “consumers”, it seems that the Act would even protect, for example, a California resident who is traveling outside of California. However, the Act also states (in Section 1798.145) that it does not restrict a business’s ability to collect or sell a consumer’s personal information if every aspect of that commercial conduct takes place “wholly outside” of California, an exception to the rule.
You may ask, “So does this mean I don’t have to comply with the Act at all when I make a sale to California residents and collect their personal information while they are outside of California?” “I mean, that’s ‘wholly outside’ of California, right?”
Not exactly. Assuming the transaction meets the definition for having occurred “wholly outside” has been met, you can likely go ahead and collect and/or sell the California resident’s personal information without having to comply with the Act as to that consumer. Of course, you will have to carefully assess whether a transaction meets the requirements of the exception. But, you still have to fulfill all of your other duties under the Act. And we’ll get to those duties shortly.
What Data Is Protected?
The Act provides protection for California residents’ “Personal Information” (or “PI”). What is “Personal Information”? It’s very broad under the act, and includes any information that:
Identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Note that, not only are particular “natural persons” protected here, but so are particular households.
A non-exhaustive list of items of Personal Information is listed in the Act, and includes:
Identifiers such as real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers;
Any categories of PI described in subdivision (e) of Section 1798.80: any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information;
Characteristics of protected classifications under California or federal law;
Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
Biometric information;
Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement;
Geolocation Data;
Audio, electronic, visual, thermal, or similar information;
Professional or employment-related information;
Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99);
Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Notably, PI does not include publicly available information that is lawfully made available from federal, state, or local government records.
Conclusion
So now you should have a better sense of who and what is protected. And from our prior posts, you should have a better overall sense of the purpose and intent of the Act as well as where the Act fits in overall global trends in data privacy law. Suffice it to say that the Act has further broadened the number of protected parties, beyond just identifiable individuals, and has expanded the number of categories that qualify as protected PI. This is the current trend in data privacy law and is expected to be the trend for as long as technology continues to evolve at such a rapid pace and remains so vital in today’s online world.
To Be Continued...
I hope this was informative for you. If it was, please make sure to read Parts 1 and 2, as well as Parts 4 through 5 of this series as I take a deeper dive into the California Consumer Privacy Act.
Disclaimer: This article may constitute attorney advertising and is provided for informational purposes only. This article does not constitute legal advice nor does it form an attorney-client relationship. Specifically, this article does not address all potential situations and is in no way intended to apply to your particular situation. Qualified counsel in your jurisdiction should be consulted for your specific concerns and/or needs. If you want more information, please contact Law Unboxed with any questions!