Practice Area / Industry: Data Security & Privacy, Intellectual Property
Just when you thought it was safe to collect personal information again …. The California legislature acted!
Even if your business is not subject to the GDPR because it does not collect personal information from EU residents whether by design (blocking EU IP addresses) or happenstance, the new legislation is likely to be important. If your business conducts or intends to conduct operations on a national level within the US and in so doing collects information from consumers, you need to pay attention. A high level description is contained here.
We will have more to say about the legislation in the future as commentary and regulatory guidance emerge. In its haste to meet a deadline, the legislation was enacted with identified problems so it is expected to be amended before effectiveness. For now, let it suffice to say that it is intended to give consumers much more notice of and control over the use of their personal information, particularly with respect to its sharing with third parties, whether they are data brokers or marketing partners.
As under GDPR, the definition of “personal information” is broadly expanded to include what was previously considered in the United States as non-identifying, such as an Internet Protocol address. The requirement to obtain affirmative consent (opt-in) and the right of a person to demand deletion of information are some of the concepts from GDPR that California included in its privacy law. Additionally, it appears that a data breach can occur under the law if just one item of personal information is compromised which is a significant departure from the “name in combination with…” formula that has been the norm thus far for data breach statutes.
The legislation will not take effect until January 1, 2020, but significant lead time will be required for compliance. Among other things:
- Existing privacy policies will have to be substantially revised by that date;
- In the interest of efficiency, we strongly recommend that the new requirements be given immediate effect for new policies and significant revisions to existing ones;
- The data mapping exercises which are required for GDPR compliance are also necessary in some form here, especially in light of the increased scope of “personal information”; and
- Data processing agreements with vendors entrusted with personal information are also a key part of a compliance strategy.
- For some small and mid-sized businesses, consideration should be given to the applicability of the de minimus exceptions.
While not directly pertinent to a compliance strategy, it is worth noting that while the mechanics and scope of enforcement of the GDPR are still taking shape, we anticipate that there will be fewer such issues or related questions with the California legislation. Judgements based upon violations will be readily enforceable in US courts.
For all companies which are potentially impacted by this legislation – everyone dealing with consumers and having operations not confined to one locale – we suggest prompt discussion with your FisherBroyles lead and our privacy partners to determine what action is best for you.
If you would like additional information, please contact any of the following FisherBroyles partners:
Michael S. Khoury
FisherBroyles, LLP – Cloud-based. Not Virtual™
Founded in 2002, FisherBroyles, LLP was the first in the U.S., and now the largest full-service, cloud-based law firm in the world. The Next Generation Law Firm has grown to approximately 215 attorneys in 21 offices nationwide. The FisherBroyles’ Law Firm 2.0® model leverages technology to offer a cost effective solution without sacrificing Big Law quality by eliminating overhead that does not add value to clients. Visit our website at www.fisherbroyles.legal to learn more about our firm’s unique approach and how we can meet your needs.
These materials have been prepared for informational purposes only, are not legal advice, and under rules applicable to the professional conduct of attorneys in various jurisdictions may be considered advertising materials. This information is not intended to create an attorney-client or similar relationship. Whether you need legal services and which lawyer you select are important decisions that should not be based on these materials alone.
© 2017 FisherBroyles, LLP