Recent developments in California law now suggest that the state is going to be especially aggressive in trying to reach beyond its borders to control the conduct of out-of-state businesses, including catalog and online retailers and their business partners. Two of these efforts in particular are worth your time and attention now, to avoid potential pitfalls in the future. California Consumer Privacy Act (CCPA) Last year, California’s General Assembly hastily passed the CCPA, the most significant and comprehensive privacy law in the country. Due to go into effect at the beginning of 2020, the CCPA will impose obligations on firms across the country to identify for California consumers information collected from and about them, and to allow these consumers unprecedented rights to force companies to edit or delete information about them on request. Firms that do not comply could face litigation, which could lead to an award of civil penalties or damages, including on a class action basis, if violations are established. The CCPA remains a bit of a moving target, as the California Attorney General is going through a rule-making process and the legislature is considering further changes to the law before it goes into effect on January 1, 2020. Here is a thumbnail sketch of the law in its current form, but bear in mind that the precise contours remain to be worked out: Who’s affected? Any company that “does business in California” and meets the following criteria:
- a company with annual (worldwide) gross revenue over $25 million;
- a company that buys, sells, or has personal information of 50,000 or more California residents; or
- a company that controls, or is controlled by, a company that meets the first wo criteria. From California’s perspective, doing business “in California” could just mean marketing or selling to residents of the state no matter where your company is located.
What constitutes “personal information”? The statute broadly defines the term as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household,” and provides examples of specific categories of protected information.  Unlike any other privacy law in the United States, even wholly anonymous information falls under the CCPA. What rights does the CCPA provide?
- Privacy Practices: An affected business must inform consumers which categories of personal information it collects and for what purposes before The business also must provide that information free of charge on request by a consumer. Having a privacy policy on your website won’t suffice.
- Right to Deletion: Businesses must disclose their right to have personal information deleted and must delete personal information upon request by a consumer. This kind of broad requirement might be read to obligate a company to delete everything from transaction histories to mailing addresses.
- Onward Disclosures: Businesses that sell (or rent) consumer personal information or disclose it for a business purpose must disclose that information on request by a consumer.
- Right to Opt Out of Sale of Personal Information: Businesses must provide notice that their customers have the right to opt out of the sale of personal information; must not sell personal information to third parties on request by a consumer.
- No Price Discrimination: Business cannot discriminate against consumers who have exercised rights under CCPA in pricing.
 What kind of exposure is there? A California consumer whose personal non-encrypted or non-redacted information is subject to unauthorized access and exfiltration, theft, or disclosure as a result of a business’s violation of the CCPA can bring a civil action. Remedies can include:
- the greater of damages between $100 per day and $750 per consumer per incident or actual damages;
- injunctive or declaratory relief; and
- other relief deemed proper by a court
The State Attorney General can also file suit for civil penalties of up to $2,500 for a violation, or up to $7,500 for an intentional violation. What hope is there? Under the current version of the law, businesses accused of violating the CCPA have 30 days to fix the alleged violation. Also, the statute (currently) allows businesses to seek guidance from the state Attorney General on how to comply, although it appears that the state regulators are working to eliminate the ability for companies to obtain such guidance. Finally, the CCPA’s effective date is January 1, 2020, meaning that there is time to seek help and guidance. Proposition 65 As if that weren’t enough, the Golden State has also amended its infamous Proposition 65, with the purpose of requiring more meaningful health and safety warnings to consumers and to avoid the scourge of “over-warning.” The new rules apply to products manufactured after August 30, 2018. The key changes include:
- New Safe Harbor Warnings, which must specifically identify at least one chemical that prompted the need for a warning; contain a triangular “WARNING” symbol; and meet specific type-size requirements.
- Publication in additional languages
- New truncated warnings for on-product safe-harbor warnings; and
- Publication of warnings in catalogs.
On the plus side, there are new protections for pure retailers, shifting principal compliance responsibilities to importers, manufacturers, and distributors. The details include whether you are the importer of the product and whether you have actual knowledge of a product issue but still fail to warn. Since California makes up an entire 12 percent of the total GDP in the United States, walking away from these customers will not be a realistic option. You’re best served by keeping an eye on legal developments in California and keeping your trusted advisors on speed dial. Working to support a national privacy law, and nationwide warnings and notices for goods in interstate commerce, is another important action to take. Contact the ACMA at 800-509-9514 or [email protected]