A hot button topic as of late has been the collection of personal data online, whether it be information actively inputted by the user or information passively collected by the websites themselves. The issue is whether and to what extent the users of these websites should be able to block the websites from collecting their data. The internet has become an integral part of daily life, so much so that perhaps there is no way an average person can avoid giving up some level of privacy. The European Union and California, however, have enacted privacy laws to curb the amount of information websites may gather without being granted permission to do so.
In 2016, the European Union adopted the General Data Protection Regulation (GDPR). The GDPR was the first marked attempt by a governmental body to significantly regulate the collection of personal information online. The policy behind the GDPR was that every person has a right to privacy with respect to his or her personal information. The GDPR became effective in May of 2018, and many companies with websites were prompted to update their policies as a result. The most significant changes the GDPR brought were the creation of new rights for individual internet users to access the information companies had gathered about them, the imposition of new requirements for data management for companies, and the creation of a new fine scheme.
Shortly after the GDPR went into effect, California enacted its own privacy laws which regulate largely the same area as the GDPR. California’s privacy laws are not set to become effective until 2020, but companies would be well served to become familiar with the new laws and make any and all necessary updates to their privacy policies and beyond.
California’s privacy laws provide protections to California residents, defined as any person “enjoying the benefit and protection of [California’s] laws and government” who is in California for more than a temporary or transitory purpose. While this class of persons is not surprising, the class of businesses which will be bound to abide by the new privacy laws is vast. The laws provide that all for profit entities which both collect and process the personal information of California residents and do business in California will be subject to these laws, so long as they meet one of the following criteria: (a) the business generates over $25 million in annual gross revenue per year; (b) the business receives or shares over 50,000 people’s personal information per year; or (c) the business derives 50 percent or more of its annual revenue by selling California residents’ personal information.
For purposes of California’s privacy laws, “personal information” means “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” “Household” is not defined explicitly, but will certainly expand the definition of personal information beyond that attributed to it before. This personal information can include what is normally considered personal information, e.g. names, social security numbers, driver’s license number, but will also include less obvious information which could be used to reasonably identify a person, e.g. device identifiers and other tracking technologies.
There are four main new rights given to individuals under the new privacy laws: (1) individuals have the right to know when their information is being collected; (2) individuals must be given an easy opportunity to opt out of having their personal information sold; (3) individuals can request companies delete their personal information; and (4) individuals exercising these new rights cannot be discriminated against.
As should be clear, companies with websites that collect personal information should revisit their privacy policies and terms and conditions to assess whether their websites will be compliant with California’s privacy laws when 2020 rolls around. If you would like assistance in doing this, contact Navigato & Battin.