California Privacy Law ➲ For Businesses in the Cloud

15/12/2023

Privacy + CyberSecurity Law

California Privacy Law ➲ For Businesses in the Cloud

This blog article aims to assist businesses already in California and those interested in expanding their online presence to serve clients in California (poised to become the world's 4th biggest economy) to navigate the evolving Californian Privacy Law landscape. It provides an overview of the generally applicable Californian Privacy Laws for businesses in the cloud serving Californian Clients. As Privacy Law in California is rapidly changing, please check back regularly for updates.

James D. Ford Esq.

Founder & [iC]℠ a.k.a Outside General Counsel

Contents

Overview

1️⃣ PRIVACY POLICY

2️⃣ Cookie Pop-Up Notice, Cookie Policy & Cookie Preferences

3️⃣ Online Child Protection

4️⃣ Other Required Privacy Notices

Overview

Whilst many businesses already have an online presence in California, based on what we have seen online, it appears that many remain both unaware & unprepared for the new California Privacy Law regulatory requirements.

This blog article aims to assist both businesses already doing business in California and those interested in expanding their online presence to serve clients in California (poised to become the world's 4th biggest economy) to navigate the evolving Californian Privacy Law landscape.

The Blue Ocean Strategy® opportunity to chart new global markets by adopting a cloud-based business strategy is one that BLUEOCEAN.law have been pursuing for some time now, which has led to us charting both New Zealand & California as new markets for our legal services.

To focus on the core topic of generally applicable California Privacy Law, this blog article sets aside any discussion of the following essential legal matters that MUST also be addressed by any business dealing with Californian Residents:

⚖️ Determining whether your online business is "Doing business in California?";

⚖️ Whether California or Federal Income Tax +/or the minimum annual California Franchise Tax is payable;

⚖️ Whether you are selling tangible physical products such that the California State Sales +/or Use Taxes apply;

⚖️ Whether you are streaming digital content to California Residents such that the California Use Tax applies; as well as

⚖️ Any specific Federal or State Privacy Laws that may specifically cover your industry.

This blog article assumes:

✅ Your business will at least initially be Cloud-based to serve Californian Clients; and

✅ You will contact us for specific legal advice regarding compliance with any applicable regulatory hurdles or Privacy Laws.

Before you can be in a position to launch your online services to Californian Clients you need to consider what updates need to be made to your website and internal processes to comply with the generally applicable California Privacy laws.

Some of the required website changes are minor, however all are important not only for legal compliance, but also to help gain the confidence & trust of your potential California-based Clients.

No Overarching Federal Privacy Law

The U.S. does not currently have a single overarching Federal Privacy Law to protect the privacy of all Americans.

However, there are legal privacy compliance requirements set at the Federal level for specific industries, such as healthcare, and financial services, etc.

Therefore you will primarily need to pay attention to the rapidly evolving Californian Privacy Laws.

The good news is that many of the emerging Californian privacy laws are modelled on the GDPR.

If your business has already made changes to comply with the GDPR to serve EU residents then your website and internal processes will not require as many updates.

California was the first state to enact GDPR styled privacy laws (and also represents our target market).

⭐️ Blue Ocean Law Group are currently in the process of expanding our legal service offerings from Australia to New Zealand and California, and in due course the UK under the Australia-UK Free Trade Agreement.

1️⃣ PRIVACY POLICY

Updates to our Privacy Policy can be found in our section dedicated to California consumers and their privacy rights.

This section of our Privacy Policy is designed to comply with the requirements of the "California Consumer Privacy Act of 2018" (the "CCPA"), as updated by the "California Privacy Rights Act" (the "CPRA") and subsequent regulations (California Privacy Law).

We also changed our Privacy Policy footer link text by capitalizing it, like so, PRIVACY POLICY to make it more conspicuous, that is, so that it stands out and can be easily located.

Ensuring that important legal rights, responsibilities and obligations are conspicuous is a general theme of both contract law & consumer protection in the U.S.

This is required by the regulators to avoid situations where important legal terms are buried in the fine print.

2️⃣ Cookie Pop-Up Notice, Cookie Policy & Cookie Preferences

In Australia, businesses are not currently legally required to:

⚖️ Provide a Cookie Pop-Up Notice (including an initial opportunity to select Cookie Preferences) before starting to collect Cookies from a Client;

⚖️ Have a Cookie Policy; or

⚖️ Provide the ability for Clients to change their Cookie Preferences at anytime.

As BLUEOCEAN.law strive to implement best practice, even before launching online legal services to Californian Clients our website had already adopted the use of a Cookie Pop-Up Notice, and Cookie Policy.

However, we had not gone as far as setting up a dedicated link to provide the ability for our Cients to change their Cookie Preferences at anytime after the initial Cooke Pop-Up Notice (including an initial opportunity to select Cookie Preferences) was displayed.

A quick discussion with our web developer lead to the provision of the link we needed to be able to provide the option to Clients.

It then became a simple matter to add this link to our collection of legal links in our website footer:

Scroll down to the footer at the bottom of this webpage and look for "Cookie Preferences" in the legal links section.

If your website does not currently effectively deal with Cookies we recommend you contact us to help you setup a complete Cookie Solution that complies with the relevant requirements.

3️⃣  Online Child Protection

California Age-Appropriate Design Code Act

California has pushed ahead with the signing into law of AB 2273 on 15 September 2022 (Effective 1 July 2024) to establish the California Age-Appropriate Design Code Act which requires online platforms to consider the best interest of child users and to default to privacy and safety settings that protect children’s mental and physical health and wellbeing.

AB 2273 requires online platforms to consider the best interest of child users and to protect their mental health and wellbeing.
“We’re taking aggressive action in California to protect the health and wellbeing of our kids,” said Governor Newsom. “As a father of four, I’m familiar with the real issues our children are experiencing online, and I’m thankful to Assembly members Wicks and Cunningham and the tech industry for pushing these protections and putting the wellbeing of our kids first.”

AB 2273 prohibits companies that provide online services, products or features likely to be accessed by children from:

❌ Using a child’s personal information;

❌ Collecting, selling, or retaining a child’s geolocation;

❌ Profiling a child by default; and

❌ Leading or encouraging children to provide personal information.

The bill also requires that privacy information, terms of service, policies, and community standards be easily accessible and upheld – and requires responsive tools to help children exercise their privacy rights.

The Children’s Data Protection Working Group will be established as part of the California Age-Appropriate Design Code Act to deliver a report to the Legislature, by January 2024, on the best practices for implementation.

AB 2273 requires businesses with an online presence to complete a Data Protection Impact Assessment before offering new online services, products, or features likely to be accessed by children.

Provided to the Attorney General, the Data Protection Impact Assessments MUST identify the purpose of the online service, product, or feature, how it uses children’s personal information, and the risks of material detriment to children that arise from the data management practices.

“As the mom of two young girls, I am personally motivated to ensure that Silicon Valley’s most powerful companies redesign their products in children’s best interest,” said Assembly member Buffy Wicks (D-Oakland). “Today, California is leading the way in making the digital world safe for American children, becoming the first state in the nation to require tech companies to install guardrails on their apps and websites for users under 18. The Design Code is a game changer, and a major step forward in creating a global standard for the protection of youth online.”
Federal Law Online Child Protections (COPPA)
The Federal law that carves out some privacy protections for children online, the Children’s Online Privacy Protection Act (COPPA), only extends its protections to children under age 13.

Importantly, these Federal protections apply to online businesses:

⚖️ Whose main target audience is children under the age of 13; or

⚖️ Has actual knowledge that some of its users are children under 13 years; or

⚖️ Is a third party collecting information on behalf of a site and has knowledge that some of that site's users are under 13 years.

California Privacy Law extensions to (COPPA)

The Californian Privacy Laws have generally extended the Federal online child privacy protections to include all online businesses and increased the age protection to 16.

Where the business provides online services, products or features likely to be accessed by children special additional protections are activated, and the age protection is increased further to 18 (refer above).

Your business may be deemed to have "Actual Knowledge" of a child's age!

The Californian Privacy Laws say that if a business willfully disregards a child’s age, it will be deemed to have actual knowledge.

What does that mean in an online world where most websites and apps don’t request or require a user’s age?

How would those businesses have actual knowledge, if at all?

The bottom line is that if your business collects personal information, it needs to determine the purposes the date will be used for and whether it is for those purposes considered:

⚖️ A general online business (minor under 16); or

⚖️ A business providing online services, products or features likely to be accessed by children? (minor under 18).

Once the applicable law is identified, then your business can best determine how to deal with the potential that any of the Clients on your website may actually be a minor.

4️⃣ Other Required Privacy Notices

California Privacy Law mandates the consideration of the provision of the following additional Privacy-related Notices on your website.

Please contact us if you have any queries in regard to these additional Notices, and required variations depending upon how your business deals with your Clients personal information, and whether or not your website responds to DO NOT TRACK signals, etc.

Legal

Do Not Sell or Share My Personal Information

Limit the Use of My Sensitive Personal Information

We DO NOT RESPOND to DO NOT TRACK Signals

Californian Privacy Laws ➲ Right to "Opt-Out" of the Sale of Personal Information

By way of example, BLUEOCEAN.law do not sell our Client's Personal Information, therefore we do not strictly need to be concerned about compliance with the following law.

Nevertheless, as a best practice we have still chosen to provide the required notice regarding the right to "Opt-Out"  in our website footer via the link Do Not Sell or Share My Personal Information.

Your business will need to conduct its own assessment regarding whether you sell your Client's Personal Information in order to determine whether or not compliance with the following Californian Privacy Laws are required.

"Section 1798.120. Right to opt-out of sale of personal information; selling minors’ personal information
(a) A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information.
This right may be referred to as the "right to opt-out".
(b) A business that sells consumers’ personal information to third parties SHALL PROVIDE NOTICE to consumers, pursuant to subdivision (a) of Section 1798.135, that this information may be sold and that consumers have the “right to opt-out” of the sale of their personal information.
(c) Notwithstanding subdivision (a), a business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers at least 13 years of age and less than 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer’s personal information.
A business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age.
This right may be referred to as the “right to opt-in.” [Emphasis added]."

Further Reading:

Governor Newsom Signs First-in-Nation Bill Protecting Children’s Online Data and Privacy [Published: Sep 15, 2022].

California Goes Beyond COPPA to Protect Children’s Privacy written by John Falzone, VP Privacy Certified [MAY 28, 2020].

California pushes ahead with its own children’s online privacy protections written by Taylor Hatmaker@tayhatmaker [Published August 31, 2022].

California Poised to Overtake Germany as World’s No. 4 Economy by Matthew A. Winkler in Bloomberg [Published October 24, 2022].

Social Sharing Image: Photo courtesy of ian dooley on Unsplash

Credits: This blog article was written by James D. Ford Esq., GAICD CIPP/US CC | Attorney-at-Law, Blue Ocean Law Group℠.

State of California Bar Number: 346590

Important Notice:

This blog article is intended for general interest + information only.

It is not legal advice, nor should it be relied upon or used as such.

We recommend you always consult a lawyer for legal advice specifically tailored to your needs & circumstances.