All posts by Jonathan Marz

What’s The Deal With The California Consumer Privacy Act?

Have you heard about California’s big new privacy law? The “California Consumer Privacy Act of 2018” (the “Privacy Act”; Cal. Civil Code § 1798.100 et seq.) goes into effect in January of 2020. Significant media coverage surrounding the new law has led many businesses – Terrapin included – to question whether and how the law may apply to them. Terrapin has analyzed the new law and while we do not expect it will affect our clients from an operations or business perspective right now, we feel it’s important to understand how it may impact you personally.

What Is The Privacy Act About?

The Privacy Act is intended to give consumers greater control over personal information that businesses collect about them. The legislative findings in support of the law refer to the proliferation of personal information in the digital and Internet age, and the increasing difficulty people have controlling the use of such information. Remember the 2018 Facebook-Cambridge Analytica scandal? That is cited as one example and motivator for the new law. The Privacy Act is frequently compared to the EU General Data Protection Regulation (Regulation (EU) 2016/679), commonly referred to by its initials “GDPR.”

What Information Is Covered By The Privacy Act?

The Privacy Act defines personal information broadly – information “that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”  Cal. Civil Code § 1798 .140(o).  This information includes:

  • Names
  • Addresses – postal, email, and Internet Protocol (“IP”) addresses
  • Social security numbers
  • Account names
  • Drivers license numbers
  • Passport numbers
  • Biometric information
  • Internet activity (browsing history, search history, and info regarding a consumer’s interaction with a website, app, or advertisement
  • Geolocation data
  • Audio/visual information
  • Professional or employment related information
  • Education information
  • “Inferences drawn” from such information to create a “profile” about a consumer reflecting their preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes

Id.  Personal information does not include information that is “publicly available,” such as information “lawfully made available from federal, state, or local government records,” or consumer information that is “deidentified or aggregate” in nature.  Cal. Civil Code § 1798.140(o)(2).

What Businesses Are Covered By The Privacy Act?

Again, Terrapin does not expect that the Privacy Act will impact our clients from an operations or business perspective. It applies to for-profit businesses that: 1) do business in California; 2) collect, or have collected for their benefit, consumers’ personal information; 3) participate in the determination of the purposes and means of the processing of such personal information; and 4) satisfy one or more of the following thresholds:

  • Have annual gross revenues in excess of twenty-five million dollars ($25,000,000);
  • Annually buy, receive, or share, for commercial purposes, the personal information of 50,000 or more consumers, households, or devices; or
  • Derive 50 percent or more of their annual revenues from selling consumers’ personal information.

Cal. Civil Code § 1798.14(c)(1).

What Are Consumers’ Rights Under The Privacy Act?

The Privacy Act provides consumers three basic “rights” regarding their personal information:

  • The right to know what personal information a business has collected about them; the sources of that information; what that information is being used for; and if and to whom that information has been sold. Civil Code §§ 1798.100(a), 1798.110(a), 1798.115(a)
  • The right to “opt-out” of having their personal information sold. Civil Code §§ 1798.120.
  • The right to request that a business delete any personal information about the consumer which the business has collected from the consumer. Civil Code § 1798.105(a).

Though not couched as a consumer’s “right,” the Privacy Act prohibits a business from discriminating against a consumer who exercises any of their rights under the Privacy Act, such as by denying goods or services to the consumer, or charging a different price for those goods or services, or offering a different level of quality of goods or services.  Cal. Civil Code § 1798.125.

What Happens If A Covered Business Violates The Act?

A business covered by the Privacy Act that violates it can be subject to civil penalties pursued by the Attorney General. Cal. Civil Code § 1798.155(b). The business can also be subject to lawsuits for statutory or actual damages brought by consumers whose personal information is disclosed by a theft or hack against the business. Cal. Civil Code § 1798.15.

Some Takeaways…

Regardless of whether or not you determine the Privacy Act applies to your business, it is significant new legislation that is sure to receive continued attention as it comes into effect and enforcement actions are pursued under its provisions. Depending on the law’s success (or failure), it may lead to further privacy related laws that are even broader in scope and reach.

Proactively Manage eDiscovery Issues by Leveraging Rules of Court

What if there was a way to suss out eDiscovery issues in California state court litigation fairly early in the case, outside of law and motion? What if doing so was simply following the rules?

California’s Rules of Court require parties to meet and confer to consider certain issues before a case management conference (CMC).  Cal. Rules of Court, Rule 3.724.  The topics of consideration expressly include “the discovery of electronically stored information” (ESI). subd. (8).  The specific issues to be considered relating to ESI include among others the “preservation of discoverable electronically stored information;” “form or forms in which information will be produced;” “scope of discovery of the information;” “method for asserting or preserving claims of privilege or attorney work product, including whether such claims may be asserted after production”; and “other issues . . . including developing a proposed plan relating to the discovery of the information.”  Id.

Parties that conduct the meet and confer conference in a perfunctory manner (or worse fail to meet and confer at all) miss out on an early opportunity to understand the contours of eDiscovery issues that may arise in the case.  On the other hand, parties that faithfully carry out the meet and confer duty can have a meaningful conversation about the who, what, when, where, how, and why of eDiscovery in the case. The effort can yield valuable information the parties and their counsel and eDiscovery vendors can use to chart out, budget for, and streamline eDiscovery issues during fact discovery. If a party seeking to obtain these benefits finds itself stymied by its adversary’s unwillingness to engage in the pre-CMC meet and confer discussions, that fact can be reported in the required CMC Statement and a request made that the Court take up the issue at the CMC.

The takeaway?  By leveraging California’s Rules of Court, litigants have an opportunity to learn about potential eDiscovery issues beforethey are knee deep in discovery, and help to manage what can otherwise become a difficult, time consuming, and expensive component of discovery.

Terrapin’s Litigation Support team is headed by an attorney with sixteen years of litigation and trial experience.  Our team understands eDiscovery and is here to help you with your eDiscovery needs and projects.

Contact Terrapin to learn more.