Many of our China clients sell their products and services to the United State. And because nearly all of those companies sell to California, the China Law Blog editors asked me to write about how California’s rapidly advancing privacy and data security laws. I have been tasked with this because I am a data privacy law attorney in our firm’s Los Angeles office and a Certified Information Privacy Professional and much of my work involves helping foreign companies navigate U.S. data privacy laws.
In the past few years, California has adopted the most sweeping and broad privacy and data security laws in the United States. California has taken up the task of creating a massive shift in data privacy and security laws similar to what the European Union did with its General Data Protection Regulation (or “GDPR”). These new laws will undoubtedly affect businesses throughout the United States, and even the world, because they are targeted to data affecting California consumers—regardless of where the businesses holding that data reside. So, it is critical for businesses from around the world to understand these laws and modify their data practices accordingly.
It is also important for international companies to understand this isn’t just a problem for some time in the future. There are current laws (again, mostly in California) that require them to adopt data security and privacy controls, which in our experience many companies are not even aware of. This post examines some of the more important laws on the horizon, as well as ones that already exist.
California Consumer Privacy Act
The California Consumer Privacy Act (or “CCPA”) was approved by the California Governor as Assembly Bill 375 in June 2018, which was subsequently amended on September 23, 2018 via Senate Bill 1121 (another possible statutory amendment is currently under consideration, and the California Attorney General is in the process of implementing regulations pursuant to the law).
The CCPA will take full effect in January 2020 and is by far the most sweeping privacy law in the history of the United States and is comparable in scope to GDPR, a law of which virtually every international business is aware.
In a nutshell, CCPA was intended to give California residents very expansive rights to seek information from certain “businesses” which collect the California residents’ data, and request deletion or modification of that data. Businesses are also not permitted to discriminated against customers who exercise any of the rights identified in CCPA. It’s not very clear what the specific criteria are for determining which businesses qualify. That’s because “business” is defined to include businesses that:
(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
(B) Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
(C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
Right off the bat, it’s clear that many businesses won’t hit the (A) or (C) thresholds. But (B) is extremely vaguely written and could subject many medium or large (and even some small) businesses to the CCPA’s reach. The lack of clarity could mean that it’s safer for some businesses to just assume that the law applies to them and act accordingly.
This is an over-simplification of the very complex CCPA, but the point is that consumers will have a great deal of leverage over qualifying businesses when the law takes full effect. In many senses the CCPA is like the GDPR. But there are many differences too, so it’s important to consult with counsel who is versed in both jurisdictions’ laws and regulations.
I would be remiss if I did not mention the possibility that CCPA will be preempted by a future federal privacy law. But even if that happens, there will still be some sea change on the horizon with which businesses must familiarize themselves and comply.
California’s Internet of Things Law
In late September 2018, the California Governor approved of SB-327, the first information security law in the U.S. specifically targeting the Internet of Things (“IoT”). SB-327 takes effect on January 1, 2020, and will require manufacturers of connected devices—essentially, devices in the IoT—to equip them with “reasonable” security measures. These security measures must be appropriate to the nature of the devices and information they collect and contain and must be designed to protect the devices from unauthorized access, destruction, use, modification, or disclosure. SB-327 also requires devices that can be accessed outside of a local area network either to be equipped with a unique password or to allow a user to generate its own password.
SB-327 really only affects “manufacturers” of IoT devices—not distributors, retail sellers, or customers. For many businesses that rely on, sell, or use IoT devices, no real changes in operations may be necessary. But that term “manufacturers” is extraordinarily broad and may touch businesses halfway around the world. The term is defined to include any business that manufactures—either itself or through a contracting third party—qualifying devices that will be sold or offered for sale in California. Crucially, there is no threshold for product sales in California. Consequently, any manufacturer, anywhere, could be subject to SB-327.
Complying with SB-327 may be as simple as assigning randomly generated passwords to each device or re-tooling software or firmware to provide more robust security protection. But for some manufacturers—especially of devices that gather or contain sensitive information—compliance may be more involved and may require a ground-up reinvention. Consultation with counsel is always the best step towards compliance.
The CCPA and SB-327 are still a ways out, but that doesn’t mean that international—or even other U.S. businesses—are off the hook. There are a host of privacy laws around the country that apply.
Many states—including, obviously, California—also have some kind of information security standard. These laws usually require businesses holding some kind of statutorily defined “personal information” to adopt reasonable security measures.
These are just a few examples. The point is that data security shouldn’t be an afterthought for international businesses. If you do business internationally, you need to be proactive to stay ahead. Like it or not, California and the United States already have laws that impact international businesses that operate outside the United States. And these sorts of laws are only getting more comprehensive everywhere.