California Privacy Act of 2018

In the wake of GDPR and California’s new data privacy law, website privacy policies continue to be a hot topic for the business community.

These pieces of legislation, the FTC Act, and various other sectoral and state laws and regulations set forth a myriad of complex rules and guidelines for website privacy policies.  At a minimum:

  • Privacy policies should clearly and concisely state:
    • What information is being collected when a person visits your site
    • Who else may have access to that information
    • Site visitors’ options – to opt in or opt out – without complicated or costly means to do so
    • How you will communicate with your customers/site visitors if their data is compromised (if you wish to avoid more costly or public means of breach notification that may be mandated by certain jurisdictions)
    • Whether you are tracking site users’ locations (and with California and EU site visitors, this cannot be done without clear disclosures and consent)
    • How cookies are being used
    • How long is information retained
  • They should not be materially misleading.
  • Consent:  If you are, or think you might be, subject to GDPR and/or if you are inviting or expect site visitors from California, your website should take the “opt-in” approach (without pre-checked boxes to receive future correspondence or advertisements)
    • “Consent” under GDPR for direct consumer marketing must be freely given, specific, informed, and unambiguous.
      • Site visitors should not be penalized if they choose not to consent.
    • Your customer must know to what they are consenting, and you cannot repurpose consent given for one activity for another, unrelated activity.
  • Your website should include mechanisms to allow a data subject to request (i) confirmation and/or correction of information you have about that person, (ii) that you remove (the right of “erasure”) that person’s data from your systems, and (iii) that you transfer their information to a third party
  • If your website processes payment transactions, it must be PCI compliant.
    • If the website uses a third-party payment processor, this should be clearly stated on the website and you should review your contract with that processor as to indemnification, notice obligations and liability disclaimers or limits if the processor experiences a breach.

In addition to the issues highlighted above, there are many other cyber and data protection-related considerations associated with websites and the disclosures in privacy policies.

Regardless of whether you are subject to GDPR, if your stated privacy policy, terms and/or conditions are misleading and/or deceptive, you will be inviting federal and state claims of deceptive and/or unfair trade practices.

However, there are other issues that many companies either ignore or neglect, including:

  • Reviewing advertising insurance coverage
    • Even if you have general commercial liability insurance that includes advertising coverage, it may NOT include coverage for your digital advertising. If you do not know the answer to this, we urge you to ask your broker!
  • Assessing whether the website is ADA compliant
    • Circuit courts around the country are split on their application of Title III of the Americans with Disabilities Act (“ADA”) to websites. However, many courts are taking the position that because websites are “places of public accommodation,” they are indeed subject to the ADA.
  • Clear and complete disclosure of warranty terms
    • It is worth noting that different laws apply if you are a manufacturer or a retailer.
    • In New Jersey, retailers must comply with the state’s Truth-in-Consumer Contract, Warranty, and Notice Act.
  • Disclosure of pricing, shipping, handling and return mechanisms, requirements and limitations
  • Review of general website terms and conditions
    • Do they protect your intellectual property?
    • Do they disclose third-party links?
    • Do they address the intended or unintended collection of information about minors?
    • Do they clearly state dispute resolution mechanisms?

For any business – but particularly for a business new to the internet or e-commerce – it is easy to purchase a website “kit” without giving the necessary thought to these and other considerations. If you are just establishing an online presence, do not just “cut, paste and go.” And if your business operates an already-established website, the stated terms, conditions, privacy policy, and notices should be reviewed at least annually.

A website is a wonderful way to promote and expand your brand – provided it is appropriately established, maintained and protected.

The California Privacy Act of 2018 (the “Act”) was passed by both chambers of the California Legislature unanimously and signed by Gov. Jerry Brown on Thursday, June 29, 2018. The new law is one of the toughest data privacy laws to be enacted in the country and comes at a time when data privacy is under much scrutiny. The law, which is set to take effect in 2020, will apply to any business (and their subsidiaries which share a name, service mark, or trademark) doing business in California (either with a physical or online presence) which (i) has annual gross revenue in excess of $25,000,000; (ii) collects data of 50,000 or more consumers annually; or (iii) derives 50% of its annual revenue from selling consumers’ personal information.

The Act provides protections similar to the EU’s General Data Protection Regulation (“GDPR”), providing that a consumer[i] has a right to request that a business disclose:

  • Categories of specific pieces of personal information that it collects about the consumer,
  • Categories of sources from which that information is collected,
  • Business purposes for collecting or selling the information,
  • Categories of third parties with which the information is shared, and
  • Specific pieces of personal information which the business has collected.

Disclosure and delivery of personal information records, when requested, are to be made by the business within 45 days of the verifiable request.

The Act also provides that a consumer may request that a business delete his/her personal information, akin to the GDPR’s “right of erasure” or the right to be forgotten. The Act further allows a consumer to opt out of the sale of their personal information and would prohibit a business from discriminating against a consumer for doing so – including by denying services to the consumer or charging different rates to that consumer, except under limited circumstances. In complying with the “opt-out” right, a business must provide a clear and conspicuous link on the business’s internet home page titled “Do Not Sell My Personal Information,” allowing for the opt-out of the sale of the consumer’s personal information. The Act also prohibits a business from selling the personal information of consumers under the age of 16 – unless the consumer (for those between age 13 and 16) or their guardian (for those under 13) – has specifically authorized, or opted-in for, the sale of the minors personal information.

The Act also expands the definition of “personal information” to include a broad list of characteristics and behaviors, as well as inferences from the information collected. The Act provides that businesses must make available to consumers at least two methods for submitting information requests, including at a minimum, a toll-free number and a web site address. Finally, the Act provides for enforcement by the Attorney General, and in certain situations, allows for a private cause of action. In the case of an intentional violation of the Act, a civil penalty of up to $7,500 is provided for each violation under the Act – which could be per record in the database.

Before this Act was adopted, California already had stringent data protection and privacy laws in place – including “opt-in” (vs. opt-out) required for sending consumers solicitations. As we have previously observed, at least 15 states have already adopted some level of proactive (versus reactive breach response) data protection legislation. Absent federal action on this matter, we expect to see more states adopt either additional sectoral laws (as Colorado, New York, and Vermont have in the financial industry), or move toward, at a minimum, an “opt-in” approach as currently mandated by California and the GDPR.

Please contact either of this post’s authors to better understand the impact of the Act and other state, federal or extraterritorial legislation on your business.


[i]The Act applies to any “consumer,” defined as a “natural person who is a California resident,” defined as “(1) every individual who is in [California] for other than a temporary or transitory purpose, and (2) every individual who is domiciled in [California] who is outside [California] for a temporary or transitory purpose.”