Recent Data Privacy Developments in California and New York
The EU’s General Data Protection Regulation (GDPR) and domestic data security legislation have brought a multitude of complex data privacy risks and compliance obligations to performance marketers. In the U.S., California’s Consumer Privacy Act imposes GDPR-like obligations and has, thus far, been extremely controversial.
California’s Consumer Privacy Act
Understanding the Act and its scope is critical for ad tech. For example, marketers must assess what personal information is collected, how it is processed, to whom it is disseminated and where it is stored. Notices, disclosures and vendor contracts must be deliberately drafted, and written information security programs put in place.
Compliance with the Act is presently complicated by the expectation that there will be amendments. In fact, data privacy professionals have consistently called upon the California legislature to enact changes to the Act that address various problems, including but not limited to, its broad application and limited exceptions, numerous defined terms, extraterritorial reach and unscaled costs associated with compliance. Additionally, the California Attorney General is expected to issue implementing regulations that will impact compliance.
Given the coordinated regulatory focus on consumer privacy, companies should consult with an experienced Federal Trade Commission privacy attorney to design and implement compliance protocols long before the Act becomes effective. This is especially crucial for companies that have not already addressed GDPR compliance.
Such protocols include, without limitation, the provision of lawful notice of the personal information collected, as well as what it will be used for. Upon request, covered businesses must disclose information collected, where it was collected from, the commercial purposes for collection and/or dissemination, and the categories of third parties with whom information is shared. Also upon request, covered businesses must provide consumers all personal information collected (no more than twice in a twelve month period). Consumers must also be notified of the right to have their information deleted.
Who is Covered by the California Consumer Privacy Act?
Beginning in 2020, businesses that collect personal information of California consumers and are (or are jointly with others) responsible for determining the purposes and means of the processing of such information, may be covered by the Act.
Specifically, the Act applies to for-profit entities doing business in California that haves annual gross revenue in excess of $25,000,000; buys, sells, receives or shares personal information of 50,000 or more consumers, households or devices for commercial purposes; or derives 50% or more of annual revenue from selling consumer personal information.
As presently drafted, for purposes of the Act, a “business” constitutes a sole proprietorship, partnership, limited liability company, corporation, association or other legal entity that is not considered a non-profit under California law. Similarly, there presently exists ambiguity with respect to whether a business must take into account worldwide revenue or revenue from California operations.
The Act goes into effect January 1, 2020. The legislation provides for enforcement by the California Attorney General and, in some circumstances, a private right of action with statutory fines.
New York Proposed Privacy Legislation
Following the onslaught of data privacy legislation in California, Vermont and Colorado, New York has now proposed privacy legislation. While not as broad as the California Consumer Privacy Act, New York Senate Bill 224 would require a business that retains a customer’s personal information to make available, free of charge, access to or copies of, all of the customer’s personal information that it retains.
Covered businesses that disclose personal information to third parties would also be required to inform consumers about the personal information that is shared. Privacy notices will have to be enhanced.
Richard B. Newman is a digital marketing attorney at Hinch Newman LLP. He is a member of the International Association of Privacy Professionals.
Attorney advertising. Informational purposes only. Not legal advice.