Passed in 2018, the California Consumer Privacy Act (the “Act”) has been the subject of consistent controversy, criticism from tech lobbyists and support from privacy advocates.
It grants “consumers” various rights with regard to personal information held by a covered “business,” including the rights of notice, access, deletion, portability and reasonable security. It also requires a business that “sells” “personal information” to “third-parties” to provide a clear and conspicuous link on the business’s internet homepage – “Do Not Sell My Personal Information” – to an online webpage that enables a consumer or a person authorized by the consumer to opt-out of the sale of the consumer’s personal information, among other requirements.
The Act also includes an expansive definition of “personal information.” It captures bits of information that digital marketers had not previously treated as personal information, and, as a result, can reach broadly across vendors (below).
Many believe that privacy issues in ad tech are at the core of what the Act is intended to “fix.” The ability of consumers to opt-out of the sale of their personal information is arguably the most significant provision in the Act for digital marketers.
Implications for Data-Driven Businesses
The Act applies if doing business in California and collecting the personal information of California residents. The statute applies to for-profit entities that (i) have greater than $25 million in gross annual revenues; (ii) annually handle personal information of 50,000 or more consumers, households, or devices; or (iii) derive 50% or more of annual revenue from “selling” personal information.
It can apply to businesses even if they do not have offices or employees in California, and can reach activities conducted outside of California.
It is important to note that the Act encompasses much of the data relied on and used by ad agencies, website publishers, ad networks, exchanges, lead generators and auction platforms.
Expansive Definition of “Personal Information”
The collection of data via cookies may fall within the Act’s sweeping definition of “personal information.” The definition also covers a number of data sets that are not tied to actual identifying information. For example, “personal information” also encompasses data that “relates to … is capable of being associated with or could reasonably be linked directly or indirectly, with a particular consumer or household.”
These data sets can include, without limitation, geolocation information, biometric information, IP address, and other online identifiers; browsing history; search history; information about how consumers’ interact with websites, applications, or advertisements; and inferences drawn from these or other types of personal information that may be used to create a profile about a consumer.
De-identified and Aggregated Data
The Act exempts data that is “deidentified or in the aggregate.” However, what constitutes “deidentified” or “aggregate consumer information” should be critically assessed by consulting with an experienced FTC attorney.
For example, today, information is deidentified when it relates to an unidentified individual. Pursuant to the Act, however, data that is “capable of being associated with” a particular person only by sharing it with a third-party is considered personal information before it is even shared.
Right to Opt-Out of “Sale” of Personal Information
The Act’s provisions relating to the right to opt-out of the “sale” of personal information and related restrictions on the dissemination thereof have the potential to drastically significantly disrupt digital marketing, lead generation and data-drive business models.
The Act provides the right to opt-out of the dissemination of personal information to third-parties. Additionally, “sale” is defined to include both: (i) the disclosure of personal information; and (ii) making personal information available to another business or third-party for monetary or other consideration. The breadth of this definition is potentially game-changing when one considers that third-parties often provide services for publishers based on the receipt of such information.
In some contexts, absent express notice and the opportunity to opt-out, intermediary entities (e.g., data aggregators, brokers and ad tech companies that provide behavioral marketing services) will be restricted from re-selling personal information. Never mind that such entities do not even possess a direct relationship with consumers.
Importantly, the Act provides for a limited service provider business purpose exception to the foregoing (below). Consistent with the FTC’s perspective on lead generation, notice is required, the data use must be reasonable and legitimate, and a contract with the service provider that obligates the latter use the data for the legitimate business purposes only must be utilized.
The proper implementation of proper protocols and marketing agreements is of paramount importance under the Act.
Enhanced Notice Requirements
The Act’s notice obligations require covered entities to inform consumers of the categories of personal information collected and the purposes for which that information will be used.
“Collection” is also defined broadly. As with the aforementioned re-sale restrictions, depending upon what type of noticed is actually required and whether publishers will do so no their behalf, entities that do not maintain direction relationships with consumers may find complying with this notice requirement to be somewhat difficult.
Other Consumer Rights
The Act also provides consumers with the right to request and access their personal information two times per year, the right to seek disclosure of the specific types of personal information being held, the right to take possession of their personal information in a readily usable form and the right to request deletion of their personal information (nine exceptions apply). Minors under sixteen (16) are required to provide affirmative opt-in consent before their personal information is “sold” by companies with and without a first-party relationship with consumers -parties – of course, do not forget about COPPA’s verifiable consent requirement for consumers under thirteen (13). Consumers cannot be discriminated against for asserting their rights under the Act.
Properly designed and implemented age verification, data sale, deletion, storage and access policies will be critical, especially when considering that identifying information is often removed from consumer data.
Any entity the processes personal information of California consumers on behalf of a data-driven business (e.g., vendors and services providers) are required to have a written contract in place with specified language in order to be compliant with the Act.
Companies may have to update their contracts if the Act applies to them, and if they use or share personal information of California consumers with vendors or service providers. Without limitation, responsible performance marketing data privacy contract drafting should include, without limitation, prohibiting vendors and service providers from retaining, using or disclosing personal information for any purpose other than legitimate and reasonably anticipated purposes specified in the contract, including for a vendor or service provider’s own benefit.
Experienced data privacy counsel can assist your company to avoid potential Act-related landmines. For example, the Act requires that certain actions be taken in order to avoid such sharing of personal information being classified as “selling.” Vendor and services provider contracts – in addition to privacy policies – should also contain express provisions that clearly and unequivocally set forth the legitimate business purposes for which data may be used.
Adjustments Needed Even If GDPR Compliant
Simply stated, the Act has particular compliance requirements that are not necessarily satisfied by GDPR compliance. For example, California’s requirement of a “Do Not Sell My Personal Information” link. Additionally and without limitation, the definition of “personal information” under the Act is extremely broad. As are the consumer rights, associated business requirements and required contractual terms the Act sets forth.
Proposed Amendments to the Act
A number of proposed amendments have recently been advanced, including a limited exemption for employees from the definition of “consumer,” a bill that narrows the expansive scope of “personal information,” a bill that clarifies the definition of “deidentification,” and a bill that creates a public-record exemption for the definition of “personal information.”
Federal Privacy Law Could Assist Ad Tech
Not only could a federal privacy law solve the issue of how digital marketers can comply with a patchwork of state data privacy laws, such legislation could potential have the added benefit of preempting the onerous Act in a positive way.
Come 2020, the Act will significantly impact the data practices of digital businesses that handle personal information of California consumers for advertising lead generation and other monetization purposes. Proactively consult with an experienced Federal Trade Commission data privacy law firm to map and inventory data, interpret various provisions and definitions of the Act, assess data collection and use practices, implement policies and protocols, and tend to vendor contracts.
Contact the author at firstname.lastname@example.org in order to discuss recent trends in data privacy law and how data-driven business can comply. You can also follow FTC defense lawyer on LinkedIn.
Richard B. Newman is a digital marketing attorney at Hinch Newman LLP. He is a member of the International Association of Privacy Professionals.
Attorney advertising. Informational purposes only. Not legal advice. Always consult with a data privacy legal professional and consider the Act’s requirements, in their entirety.