California recently introduced some new consumer privacy rights laws. Applicable only to California residents, they must be followed, regardless of your business location. They include:
- The right to opt out of sharing of personal information. This includes interest-based advertising (think cookies and adwords).
- The right to opt out of certain uses and disclosures of “sensitive personal information,” including Social Security, driver’s license, state ID card, or passport number; debit card, or credit card numbers, password or credentials; a consumer’s precise geolocation; racial or ethnic origin, religious or philosophical beliefs, or union membership; the contents of a consumer’s email and text messages, unless the business is the intended recipient of the communications; a consumer’s genetic data; and data concerning a consumer’s sex life or sexual orientation.
- The right to correct inaccurate personal information.
- The right to enhanced transparency about a business’s information practices, including information about data retention periods.
- New rights with respect to the use of automated decision-making technology, including for profiling.
The new law applies to for-profit entities that do business in California, collect personal information from California consumers, and meet ANY threshold criteria which include:
- A business exceeds $25 million in gross revenue in the preceding calendar year.
- The company buys, sells, or shares the personal information of 100,000 or more consumers or households.
- The company derives 50% or more of its annual revenue from selling or sharing consumers' personal information.
There are also new requirements related to data retention, data minimization, and purpose limitation, as well as to pass deletion requests not only to service providers but also to contractors and third parties to which the businesses have sold or shared information. The law also mandates additional provisions that businesses must include in their contracts with service providers, contractors, and other third parties. Regulations issued under the law are likely to increase auditing requirements, such as performing cybersecurity audits on an annual basis, and providing the new enforcement agency with regular risk assessments.
California claims the authority to investigate and prosecute violations of the law, and it can impose fines of up to $7,500 per violation. In response, Google Chrome (and likely the other browsers) will be retiring 3rd party cookies, which track users activity online. This will make online marketing and prospecting more difficult to target.
We are still exploring this for our customers, and will share additional information in the future. Until then, you should pay particular attention if you use any form of adwords, sell products with a shopping cart that requires an account, process credit cards or maintain a mailing list. We do believe most small businesses are exempt, but watch towards the future as other states enact their own laws.
