Every Move You Make, Every Step You Take
After several recent major cases of cyber fraud occurring (particularly the Cambridge Analytica breach on Facebook), people are more apprehensive and skeptical of cyber security than ever before. The advent of highly optimized digital ads being informed by user history doesn't help in combating this paranoia either.
If you're a California resident, the hot topic in 2019 is the new California Consumer Privacy Act that goes into effect this next January and has been described as GDPR light for the United States and how it's going to impact the majority of online businesses that gather personal data from residents in California. In this blog, Hollywood Branded examines cyber law and privacy order from the expertise and experience of attorney of Richard Chapo.
A Little Background On Richard
Richard is a business lawyer with 27 years of experience specializing in internet law based in San Diego. He helps entrepreneurs avoid copyright infringement letters and other threats when operating online, including the new Digital Millennium Copyright Act and best practices for using it collecting contact information.
Interview Transcript Highlights
Question: I'd love to have you start off talking about how long you've been doing what you've been doing, a little bit more about your background, which is quite interesting? Where you're at and what got you to what you're doing today?
Answer: Sure, I grew up in Southern California and became a licensed attorney in 1992. And I've been practicing law since then. Originally, focused on litigation, primarily complex litigation, an area of law called bad faith insurance, wrongful death. I used to defend the hospitals and doctors and things of that sort.
Like many attorneys, I burned out on it. And so in 1999 went to Siberia for a year, of all places, to teach law and just generally contemplate and figure out what I wanted to do with my life. And so upon return, decided to, instead of litigation, focus more on helping small businesses basically grow and avoid some of the common problems that they run into.
I had a friend who was working as a CEO of an internet company. Now keep in mind this is 1998 so everybody was a CEO of an internet company. And he needed some legal work done and didn't know the field, neither did I, quite honestly. But nonetheless, we decided to have a go at it. And I've been doing it ever since.
Question: Can we start off chatting a little bit more about the whole California consumer Privacy Act? Since we spent the last two years almost listening to what's happening in Europe and how everything's changed with compliance there. And now it's coming over to United States, and businesses who don't actually put in some safeguards are opening themselves up to some definite issues.
Answer: So the situation obviously, we had in Europe was the GDPR, which went into effect in May, 2018, that was the general data protection regulation. And from the business perspective, it's a killer regulation. It is the kind of regulation that even people that work at the DMV look at it and go, "Hmm, that might be a bit much." And as extensive requirements record keeping, tech changes, and things of that sort that you have to make.
However, it did have… what I think most people would agree is probably an acceptable goal, which was to try to give individuals a better idea of what information is being collected about them online, and how it's being used, who it's being shared with. And so the California Consumer Privacy Act is basically shooting for the same thing.
Now, unfortunately, once you actually start reading the act, it gets rid of a lot of the sharp elbows that you see in the GDPR. And instead, it really works to give people again, the ability to understand what's being collected about them. Because I think when most of us think of personal data, we think of perhaps our name, our email address, maybe our phone number. But technology has become so sophisticated that even just to your IP address or indirect identifiers like geolocation, the devices you're using could be used to create profiles and sell information. I mean, all you have to think about it as if you're on Google, and you do a search for something the next week you see ads for something related to that topic. And that's essentially what's going on. There's basically no behavioral profiling and what have you.
The CCPA basically tries to address that and it gives people a number of different rights. One is the right to know what personal information is being collected about you. And so you could contact whatever site. Obviously Facebook would be kind of the classic site that we look at. The right to know where the personal information is sold or disclosed. And so they're going to have to provide you that information. And then you're going to have the right to tell them to stop.
That's a different aspect that we don't even see in the GDPR, which is considered pretty extensive regulation. So that's an interesting new twist. Then you're going to have the right to access your personal information so that means that you're going to be able to say to companies online, "I want to know what you've collected about from me over the last 12 months." That's going to give you a look back period and you'll get a better idea of what people are grabbing, what they're doing. If you've ever done an advertising on Facebook, you can really drill down into a lot of the data they have. It's amazing some of the information that they have, and how you can filter it this way in that. So I think a lot of people would be very surprised to learn what this information is.
And then you're going to have a right to equal service and price. So what that means, essentially, is that if you express any other area, you exercise any of the other rights under the CCPA, people can't discriminate against you. So if you make a request for your data, they can't suddenly raise your prices or do anything of that sorts. It's an equalization effort.
Then from the business side, obviously you're going to have to implement procedures to deal with all of those issues. But you're also going to have to amend your contracts with your vendors, anybody who's having access to information through your sites. So that could be plugins, cookies, any of these groups. And you're going to have to make sure that they are compliant with the CCPA as well. And so that's somewhat mirrors what we see with the GDPR.
So what does all this mean? What about penalties? So the penalties are basically … the California Attorney General's in charge of enforcing the Act from a governmental perspective. And the penalties can be up to $7,500 per intentional violation. So if you don't do anything to comply, or you take some type of action to circumvent, $7,500 per violation. And a violation can often be interpreted as a single person who you've collected information from and not complied with the CCPA. If you've done that with one person, you've probably done it with many. And so that number grows pretty quickly. If it's an unintentional violation, you just were negligent and you messed it up and it drops to $2,500 per violation.
Now the interesting thing is the Act also includes a class action … well, not even just class action, but a right of private lawsuit. Basically, any individual who's impacted can sue you, but the damages are limited between $100 to $750. However, they can bring class action lawsuits. So that's going to be a problem for some of the larger companies that are out there. And the interesting thing about this is that the CCPA has a saving grace and that is, it has a 30 day cure period. We're still waiting for regulations to be issued, but it appears as though the California Attorney General and even private parties will have to give you a notice of whatever it is they're complaining about. And then you have 30 days to cure it. If you don't cure it in that 30-day period, then they can go forward with penalties and lawsuits.
Question: If we can break it down, what does that mean to a company? Does that mean that the email lists that they have and that they're blasting away at are now going to need to be scrubbed or changed or anything altered with that, at all?
Answer: Not necessarily. Not from what we're seeing so far. The difference between that and the GDPR ... a lot of people ran into that with the GDPR. The problem is the GDPR requires you to have a legal basis before you can collect personal data. And there are six different types and the most common type was consent. And so if you've developed an email list, you didn't have an affirmative consent where somebody's essentially check the box saying, "Yes, you can email me promotional materials", well, you pretty much had to scrape those people off your list. At least certainly, that was one common interpretation.
The CCPA doesn't have a consent provision, it doesn't have a legal basis requirement. And so that's not in there. So if you have an email list, you're probably in good shape. Now, if you are meeting certain thresholds, you're going to have to comply with the CCPA regardless of where you are. So whether you're in Maine or you're in Brazil.
Those thresholds are essentially, if you bring in more than $25 million in revenues, if you make more than 50% of your revenues from the sale of personal data or the rental of it. So for instance, if you have a lead generation company, that would be a situation where that would apply. Or if you receive, sell, or share data of more than 50,000 individuals or devices. And those are individuals, from what we can tell so far, that are natural residents of California, so not 50,000 individuals around the world. So we're looking at … We have those thresholds that will protect smaller businesses. But as your business grows in size, and as you move around more data, you're probably going to have to face some of this. But email list, actually, you probably are going to come through with this through this law without being too hurt, I would say.
Question: Does this really impact more businesses and companies that are targeting a private consumer? Or does this also carry over to if you operate on a B2B level and you are capturing data of a business user that your target is? Is there a differentiation?
Answer: It focuses on natural residents or natural persons who are residents of California. So it includes consumers but also B2B, it actually also includes your employees. It's going to be a surprise for some businesses. One of the things about this law and the reason why there's some hesitation with the answers is the origins of the CCPA are somewhat bizarre. It was actually going to be brought as an initiative in California. And so you can have initiatives put on the ballot and you can bypass the legislature and the governor.
If people voted in a specific way to approve something, then it just becomes a law. And so this was initially an initiative that was brought by a real estate investor up in San Francisco and a couple of other people. And it was written in such a way that as soon as it passed, it would have gone into effect businesses would have not been able to comply. Just there wasn't enough time and then it was also going to violate other laws, like HIPAA and some other different provisions out there that are federal laws. So it would have caused all kinds of problems.
So the bizarre thing that happened was in the summer of 2018 was that it became apparent that it was going to pass. The polls were just very much in favor of it. We were having the Cambridge Analytica issues with Facebook. And so people were fired up about privacy. And so politics being what it is in California, the legislature just made a deal with the people who were behind the initiative and they said, "What we'll do is we'll basically create this law. A lot of it mirrors the initiative, but we're going to make some changes."
They went through and they negotiated out what that was going to be, but they did it on seven days. And so they enacted the law in those seven-day period. The reason they did it so fast was the initiative had to be taken off of the ballot by a certain date, and they were running up to a deadline. So the GDPR in Europe took four years to draft, and the California Consumer Privacy Act was drafted in seven days. So as you can imagine, there are parts of it that are a mess that conflict with itself. There are things like what's a device? Is it your smartphone, is it your tablet? Is it your PC at home? What about a TV? What about Alexa? There are all these kinds of questions. And so we're seeing a series of amendments coming along, trying to fix those problems with the law. But yeah, from what we're seeing right now, it's going to be everybody; consumers, business, employees, it's going to be pretty pervasive.
To learn more about cyber law and coming changes in it, you can listen to the full interview in our podcast.
The Next Step
Want to learn more about the legality of entertainment industry and different case studies of the law getting involved? We've written plenty of other blog posts on the topic as well for you to check out!
- How British Product Placement Law Is Different
- The Kardashians Social Media Blunder And The FTC
- The Legal Side of Influencer Marketing And Mistakes To Avoid
- What Brand Managers Need To Know About Social Influencers Not Marking Posts As Ads
- Celebrity Endorsement Deals Gone Wrong: When Brands Cross The Line
Want to increase the social and cyber presence of your brand? Help ensure you execute it flawlessly (and legally), check out our user's guide to social influencers for free!