Digital privacy rights have received more attention since it was revealed that the voter-profiling firm Cambridge Analytica gained access to personal data of millions of Facebook users. This prompted the European Union to establish some of the toughest online privacy regulations in the world. Even companies outside Europe must comply with the E.U.’s new General Data Protection Regulation (“GDPR”) if their web presence extends into Europe. Facebook, for example, announced in April that it will offer the privacy controls required under the GDPR to all Facebook users, not just Europeans.
The State of California also recently enacted the Consumer Privacy Act, A.B. 375, which is modeled on the GDPR. The California Consumer Privacy Act is set to take effect on January 1, 2020, giving citizens an array of new rights, and more control over how their data is used. California consumers will have the right to request deletion of personal information, to opt-out of the sale of personal information, and to access personal information in a “readily usable format” that enables transfer to third parties without hindrance. It also makes it more difficult to share or sell data related to children younger than 16.
This California law will have an impact outside of that State, because it will apply to any legal entity that (i) does business in California, (ii) is operated for the profit or financial benefit of its owners, (iii) collects consumers’ personal information and determines the purpose and means of processing such information, and (iv) satisfies at least one of the following three conditions:
* Has an annual gross revenue of over $25 million
* Alone or in combination, annually buys, receives, sells or shares for commercial purposes the personal information of $50,000 or more consumers, households or devices, or
* Derives 50% or more of its annual revenues from selling consumers’ personal information
The California law will force companies meeting the minimum size threshold to be transparent about how they use consumer data. These companies will have to obtain permission before using targeting ads based on personal information that they’ve received, such as a person’s job, education, or the websites and apps used by the person.
Many companies that use or gather consumer data, from retailers to cellular network providers to internet companies, have at least some California customers. Companies large enough to be subject to the new law must bring their systems and websites into compliance, and ensure that their processes are robust enough to take action in response to consumer inquiries and requests.