New Data Privacy Statutes in California and Vermont

October 17, 2018

California

California often acts on technology, privacy, and environmental issues before other states, or even the federal government. California recently passed a new privacy law that gives consumers the right to demand that their data be deleted and to bar companies from selling their data. Beginning on Jan. 1, 2020, the California Consumer Privacy Act of 2018 will apply to more than 500,000 U.S. companies, the vast majority of which are small- to medium-sized enterprises. If it is not preempted at the federal level, this statute could serve as a catalyst for other states to pass similar or even more rigorous laws.

The law generally applies to any for-profit business that collects consumers’ personal information, does business in the state of California, and meets at least one of three conditions:

  • $25 million or more in annual revenue.
  • Personal data of more than 50,000 “consumers, households, or devices.”
  • More than half of annual revenue is earned by selling consumers’ personal data.

The Act applies to data of any “consumer,” defined as a natural person who either (1) is in California for other than a temporary or transitory purpose, or (2) is domiciled in California but is outside the state for a temporary or transitory purpose. Based on judicial interpretation of prior California data privacy laws, companies that sell goods or services to these consumers will likely be deemed to “do business in the state of California” even if the company is not physically located in the state. The statute also applies to any entity that controls or is controlled by, and shares common branding with, a business covered by the Act. For example, a co-branded Florida subsidiary of a Delaware corporation that sells goods or services to a California resident who is traveling for business in Texas would be subject to the Act.

The new act provides California residents with new rights and includes a dramatically broader definition of “personal information” than is typically seen in US privacy regulation. Some of these characteristics appear to mirror principles from the EU’s General Data Privacy Regulation (“GDPR”), while others are unique to this legislation. The new law gives California consumers four main categories of rights in relation to their personal information:

  • the right to know what personal information a business has collected about them, where it came from, what it is being used for, whether it is being disclosed or sold, and to whom it is being disclosed or sold;
  • the right to “opt out” of the onward sale of their personal information to third parties (or, for consumers who are under 16 years old, the right not to have their personal information sold absent their opt-in or their parent’s);
  • the right to request that a business delete their personal information, which a business is required to honor in certain cases; and
  • the right to receive equal service and pricing from a business regardless of whether the consumer exercises their privacy rights under the Act.

The Act also contains special rules regarding the personal information of children under 16, and requires companies disclose certain information to consumers via their privacy policies or at the time the personal data is collected. Among other things, the Act also requires businesses to provide at least two means for consumers to submit requests for disclosure including, at minimum, a toll-free telephone number and website, to clearly and conspicuously post a “Do Not Sell My Personal Information” link on their home page and in their privacy policy, and to disclose the requested information free of charge within 45 days of the receipt of a consumer’s request. The Act creates a private right of action for aggrieved consumers that suffer a data breach in certain situations, with statutory damages of $100 to $750 per consumer.

While the Act does not come into effect until 2020, certain provisions such as the right of access will apply retroactively to data collected by companies during 2019. Companies that have not already created an internal program in order to map those data and respond to similar requests under GDPR should do so now. The Act contains too many other elements to cover them exhaustively in this update, but Kutak Rock urges potentially affected companies to contact an attorney and review their individual risk profiles and compliance obligations.

Vermont

Vermont’s new data broker law is another law that companies across the country may need to address. This first-of-its-kind law creates significant obligations for businesses that collect or make available certain types of personal data concerning any Vermont resident with whom the businesses do not have a direct relationship.

“Data brokerage” differs from traditional online behavioral advertising. U.S. businesses routinely purchase consumer personal data from data brokers, and many U.S. companies even have a side business selling the personal data they collect to other companies, including data brokers. This information can be used to target ads to consumers on the basis of highly sensitive personal information, such as an individual’s medical condition. Under the Vermont law, a “data broker” is a business “that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” Consequently, a company is not a data broker merely because it collects personal information from its online customers: the company has a direct relationship with them. If, however, that same company’s website collects information about visitors or potential customers from Vermont and sells that information to a third-party, it could become a regulated data broker.

Although Vermont does not go as far as the EU in its reporting obligations, the new law does require a data broker’s annual filing to disclose, among other things, whether it lets consumers opt out of its collection of brokered personal information, its databases or certain sales of data; which, if any, of these opt-outs are not permitted; how to go about opting out; and whether the data broker operates a purchaser credentialing process. Vermont data brokers will also have to report information on data breaches annually.

Like many recent state laws in this space, the Vermont law requires companies to put in place a written, comprehensive data security system, including physical, technical and administrative safeguards for consumers’ personal data, and imposes heightened requirements to govern personal information of minors. Vermont’s new statute also obligates state officials to report on what further privacy and data security measures may be warranted. Unlike most recent state laws in this space (except California’s, as noted above), this statute gives individuals a private right of action. It can be enforced by the Vermont attorney general or by any affected individual, and there is a substantial incentive for plaintiffs to do so. Prevailing under the Vermont law can yield not only compensatory damages, but a punitive award of up to triple the actual damages suffered by consumers, plus reasonable attorney fees.

The registration and data security provisions that Vermont’s new law imposes on companies—such as the requirement that data brokers register with the secretary of state and pay a $100 annual fee—do not take effect until January 1, 2019. But the law’s other provisions—such as prohibiting credit reporting agencies from imposing a fee for implementing a credit freeze—took effect with the law’s passage on May 22, three days before GDPR and shortly before California enacted major changes to its own data privacy laws (as discussed above).

Conclusion

These state laws strike a similar tone. Together with the recent Congressional signals concerning a potential federal privacy law, they reflect a common trend in data privacy regulation toward heightened scrutiny on businesses that collect, use, and sell consumer data. While it is anticipated that California’s new law will undergo several changes leading up to its 2020 effective date, and Vermont’s new law does not take full effect until 2019, we are currently advising clients to review their data processing practices and determine whether technological, structural, administrative, or other changes will need to occur in order to achieve compliance. We are currently assisting several clients in this exercise and encourage you to call us to discuss your company’s needs.

Please contact a member of our Privacy and Data Security Practice Group listed in the right-hand column of this page.