Law.com Subscribers SAVE 30%
Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
Get Ready for California's Version of the EU General Data Protection Regulation
The entertainment industry is intensely focused on data collection and analytics as it seeks to maximize the exploitation of digital content. Just as those of us in the privacy field had begun to have a slight breather as much of the heavy lifting on the European General Data Protection Regulation (GDPR) was finally behind us, lawmakers in California have passed the California Consumer Privacy Act of 2018 (CCPA).
The CCPA, which will take effect on Jan. 1, 2020, will require companies that process the personal data of residents of California to observe restrictions on data monetization, provide for data subject rights that are similar to those found in the GDPR, update their privacy policies and to take steps to protect against the possibility of penalties and liquidated damages.
The CCPA will apply to all companies, wherever located in the world, that receive personal data from California residents if they or their parent company or a subsidiary: has annual gross revenues in excess of $25 million; obtains personal information of 50,000 or more California residents, households or devices annually; or obtains 50% or more annual revenue from selling California residents' personal information.
The CCPA defines personal information very broadly, expanding the existing definition to include any data that relates to or can be associated with a particular consumer, including: contact information; online identifiers; government ID numbers; purchase history and other commercial data; biometric information; browsing/search history; sensory, geolocation, professional, employment or education data; and any data used “to create a profile reflecting preferences, characteristics, … behavior, attitudes, intelligence, abilities, and aptitudes.”
Like the GDPR, the CCPA provides data subjects with a number of privacy rights, including:
- Once the CCPA is in effect, California residents will have the right to access and know what personal information is collected. Prior to collection, companies must make a number of mandatory disclosures, including the categories and uses of personal information in transactional and other contexts. California residents will also have the right to know whether personal information is sold or disclosed and to whom. Companies must inform requesting consumers about the categories of personal data sold to third parties or disclosed in connection with a transaction. Third-party recipients of personal information are prohibited from selling the data without notice and an opt-out.
- Upon request, companies must stop selling personal information. In addition, companies wishing to sell personal information from children will be required to obtain opt-in consent from the child if the child is 13 to 16 years old or from the child's parent or guardian if the child is younger than 13.
- Subject to certain exceptions, a company that receives a deletion request from a consumer must erase the consumer's personal information from its systems and must also direct its service providers to do the same. As with the GDPR, this will require companies that are in control of personal information processing operations to enter into agreements with their service providers so as to ensure they will be able to comply.
- The CCPA prohibits companies from discriminating against consumers who exercise their CCPA rights.
The CCPA creates a private right of action with the potential to recover damages of $100 to $750 for each affected consumer, exposing companies to an enhanced risk of class actions and costly litigation. In addition, companies will violate the CCPA if they fail to cure within 30 days of receiving notice from the state attorney general. Such violations will be subject to civil penalties of up to $2,500 per violation. Intentional violations can result in civil penalties of up to $7,500 per violation. The attorney general could seek to multiply penalties by the number of affected consumers and/or the number of days the violation occurred.
Although compliance is not required until January 2020, it's not too early for entertainment companies to take some concrete steps to take right now:
- Make available designated methods for consumers to submit data access requests, including, at a minimum, a toll-free telephone number.
- Provide a clear and conspicuous “Do Not Sell My Personal Information” link on the business's Internet home page to direct users to a web page enabling them, or someone they authorize, to opt out of the sale of personal information.
- Consider reviewing vendor agreements to determine if they need to be renegotiated to address the forthcoming changes in law.
- Begin modifying privacy policies, because the CCPA mandates a number of additional disclosures beyond what are typically included in most policies today.
*****
Jacqueline Klosek is a counsel in Goodwin Procter's business law department and a member of its intellectual property group as well as its privacy and cybersecurity practice. Her practice focuses on transactions involving technology and intellectual property, and she regularly advises clients on various issues related to privacy and data security. She is a key contributor to Goodwin's Founders Workbench, an online resource for startups, emerging companies and the entrepreneurial community. Klosek drafts and negotiates various technology agreements and advises on different aspects of the law related to intellectual property and technology. She also advises clients on various issues related to privacy and data security.
|This premium content is locked for Entertainment Law & Finance subscribers only
ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
- Stay current on the latest information, rulings, regulations, and trends
- Includes practical, must-have information on copyrights, royalties, AI, and more
- Tap into expert guidance from top entertainment lawyers and experts
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
Supreme Court Hears Arguments In Corporate Trademark Infringement Remedy Calculation Case
The business-law issue of whether and when a corporate defendant is considered distinct from its affiliated entities emerged on December 11 at the U.S. Supreme Court, with the justices confronting whether a non-defendant’s affiliate’s revenue can be part of a judge’s calculation of the monetary remedy for the corporate defendant’s infringement of a trademark.
Navigating AI Risks: Best Practices for Compliance and Security
The most forward-thinking companies embrace AI with complete confidence because they have created governance programs that serve as guardrails for this incredible new technology. Effective governance ensures AI consistently aligns with an organization’s best interests, safeguarding against potential risks while unlocking its full potential.
What Will 2025 Bring for Legal Tech
It’s time for our annual poll of experts on what they expect 2025 to bring in legal tech, including generative AI (of course), e-discovery, and more.
AIAs: A Look At the Future of AI-Related Contracts
AI’s rapid market proliferation and regulatory expansion mirrors privacy’s, and businesses should model their contractual AI compliance on the successes of privacy law’s DPA and BAA.
The Death of SEO: How AI Is Impacting Search, PPC and Cookies
Traditional keyword strategies and ranking tactics are losing ground to a more dynamic approach in which optimizing for search now means optimizing for every platform and user interaction. This evolution is appropriately being called “Search Everywhere Optimization.” The redefined SEO reflects how AI is not just changing how people find information but also how businesses need to think about visibility in an increasingly connected digital ecosystem.