Many of our China clients sell their products and services to the United States. And because nearly all these companies sell to California, the China Law Blog editors asked me to write about how California’s rapidly advancing privacy and data security laws impact foreign companies that do business with California. I have been tasked with this because I am a data privacy law attorney in our firm’s Los Angeles office and a Certified Information Privacy Professional, and because much of my work involves helping foreign companies navigate U.S. data privacy laws.
In the past few years, California has adopted the most sweeping and broad privacy and data security laws in the United States. California has taken up the task of creating a massive shift in data privacy and security laws similar to what the European Union did with its General Data Protection Regulation (or “GDPR”). These new California laws will affect businesses throughout the United States, and even the world, because they are targeted at data affecting California consumers—regardless of where the businesses holding that data reside. So, it is critical for businesses from around the world to understand these laws and to modify their data practices accordingly.
It is also important for international companies to understand this isn’t just a problem for some time in the future. There are current laws (again, mostly in California) that require they adopt data security and privacy controls, which in our experience many companies are not even aware of. This post examines some of the more important laws on the horizon, as well as ones that already exist.
1. California Consumer Privacy Act
The California Consumer Privacy Act (or “CCPA”) was approved by the California Governor as Assembly Bill 375 in June 2018, which was subsequently amended on September 23, 2018 via Senate Bill 1121 (another possible statutory amendment is currently under consideration, and the California Attorney General is in the process of implementing regulations pursuant to the law).
The CCPA will take full effect in January 2020 and is by far the most sweeping privacy law in U.S. history. It is comparable in scope to GDPR, a law of which virtually every international business is aware.
CCPA is intended to give California residents expansive rights to seek information from “businesses” which collect the California residents’ data, and request deletion or modification of that data. Businesses are not permitted to discriminate against customers who exercise any of the rights identified in CCPA. It is not clear what the specific criteria are for determining which businesses qualify. An included “business” is defined as follows:
(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
(B) Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
(C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
Right off the bat, it’s clear many businesses will not hit the (A) or (C) thresholds. But (B) is vaguely written and could subject many medium or large (and even some small) businesses to the CCPA’s reach. The lack of clarity could mean it will be safer for some businesses to just assume the law applies to them and act accordingly.
This is an over-simplification of the very complex CCPA, but the point is that consumers will have a great deal of leverage over qualifying businesses when the law takes full effect. In many respects, the CCPA is like the GDPR. But there are many differences too, so it’s important to consult with counsel versed in both jurisdictions’ laws and regulations.
I would be remiss if I did not mention the possibility that the CCPA will be preempted by a future federal privacy law. But even if that happens, there will still be some sea change on the horizon with which businesses must familiarize themselves and comply.
2. California’s Internet of Things Law
In late September 2018, the California Governor approved SB-327, the first information security law in the U.S. specifically targeting the Internet of Things (“IoT”). SB-327 takes effect on January 1, 2020, and will require manufacturers of connected devices to equip them with “reasonable” security measures. These security measures must be appropriate to the nature of the device and the information they collect and contain and these devices must be protected from unauthorized access, destruction, use, modification, or disclosure. SB-327 also requires devices that can be accessed outside a local area network to be equipped with a unique password or to allow a user to generate its own password.
SB-327 really affects “manufacturers” of IoT devices — not distributors, retail sellers, or customers. For many businesses that rely on, sell, or use IoT devices, no real changes in operations may be necessary. But that term “manufacturers” is extraordinarily broad and may touch businesses halfway around the world. The term is defined to include any business that manufactures — either itself or through a contracting third party — qualifying devices that will be sold or offered for sale in California. Crucially, there is no threshold for product sales in California. Consequently, any manufacturer, anywhere, could be subject to SB-327.
Complying with SB-327 may be as simple as assigning randomly generated passwords to each device or re-tooling software or firmware to provide more robust security protection. But for some manufacturers — especially of devices that gather or contain sensitive information — compliance may be more involved and may require a ground-up reinvention. Consultation with counsel is always the best step towards compliance.
3. Existing Law
The CCPA and SB-327 are still a ways out, but that does not mean that international (and U.S.) businesses are off the hook. There are a host of privacy laws around the country that already apply.
Many US states — including, obviously, California — also have some kind of information security standard that require businesses holding statutorily defined “personal information” to adopt reasonable security measures.
These are just a few examples. The point is that U.S. and California data security needs to be more than just an afterthought for international businesses. California and the United States already have laws that impact international businesses that operate outside the United States and these sorts of laws are only increasing in both number and impact.