Insights
Publications

Is Your Wine Business Ready for the California Consumer Privacy Act?

April 25, 2019 Articles
Nate Garhart

Companies within and outside the State of California who offer products and services to California residents are focusing on what they need to do to comply with the new California Consumer Privacy Act of 2018 (CCPA), which will come into effect January 1, 2020.

Companies in the wine industry are no different. By turning attention to the issue now, your wine company can be ready for the new law without significant disruption of business.

Are you subject to the law?

A California wine company should start by determining whether the requirements of the law will actually apply to it. The act applies to for-profit companies that

  • have annual gross revenues in excess of $25 million; or
  • receive or sell/share the personal information of 50,000 or more California residents, households, or devices; or
  • derive at least 50% of their annual revenues from selling the personal information of California residents.

While we can assume that the third of these criteria doesn’t apply to many wine companies, the first two will likely make many subject to the law.

It is important to note that the law applies and gives California residents privacy rights even vis-a-vis a company that is not itself located within California unless “every aspect of . . . commercial conduct takes place wholly outside of California.” This would require that, for a given California resident claiming rights under the act,

  • the information was collected from the consumer while s/he was outside of California;
  • no part of any sale of the personal information occurred in California; and
  • no personal information collected while the consumer was in California was sold.

To be sure, it is very unlikely that businesses selling goods and services to California residents will be able to avoid application of the law.

What does the Act require?

While much more could be said on this topic and the devil is in the details, the CCPA provides consumers with four basic rights relating to their personal information:

  • The right to know what personal information is being collected and what is being done with that information;
  • The right to “opt out” of the sharing of personal information;
  • The right to control personal information and have collected information deleted; and
  • The right to not be prejudiced even if exercising rights under the act.

What is “personal information?”

Personal information as defined by the CCPA includes traditional forms of information that identify individuals (names, email addresses, etc.), and also non-traditional examples including IP addresses, geolocation information, and unique identifiers such as device IDs, cookie IDs, and internet activity information (browsing and search history). Additionally, inferences drawn from such personal information “to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes” would also amount to personal information subject to the rights under the CCPA.

What needs to be done to get ready?

At this time companies should be discussing the issues with stakeholders within the company, primarily those interested in collecting and using the information — the marketing department — and those that control the technical collection of data — the IT department. It is important that both stakeholders provide input and understand the issues as it is common for systems to collect information that, for example, marketers were not actually looking to collect.

Once it is clear what information is being collected and what is being done with that information, the privacy policy and other disclosure documents and links need to be drafted and included on the site to comply with the company’s disclosure obligations under the CCPA.

The IT department must also be engaged to ensure that the company can respond to consumers’ requests for information and/or to be forgotten. While seemingly simple, this often requires steps to be taken to create or optimize the ability to do so.

Once the privacy policy and required disclosures are posted and the company has a plan and process to respond to consumer and regulator requests concerning personal information, January 1, 2020 will present only the chance to toast the opportunities of the new year rather than worry about the effective date of the CCPA.

Firm Highlights

Publication

I Always Feel Like AI Is Watching Me: Artificial Intelligence and Privacy

ChatGPT got the early press, and every day we learn of new generative artificial intelligence products that can create new and creative visual and text responses to human input. Following on ChatGPT’s fame, Google’s...

Read More
Publication

Employee Data under the CCPA: Expiration of Employer Exemptions Requires Compliance as of January 1, 2023

Since the California Consumer Privacy Act (“CCPA”) was passed in 2018, employers have been watching carefully to see how the law will apply to data collected and maintained about their employees. Up until now, ...

Read More
Publication

Cybersecurity Regulation: Key Takeaways From an Unusual FTC Order That Will Follow CEO for a Decade

The FTC recently issued a proposed order that would settle an enforcement action against Drizly, LLC and its co-founder and CEO, James Rellas, arising from data breaches in 2018 and 2020 that affected over...

Read More
Publication

Nonprofit Websites and Terms of Use - Best Practices and Common Pitfalls

Welcome to EO Radio Show – Your Nonprofit Legal Resource . Happy New Year, everyone!  In episode 26, Cynthia Rowland and her guest Nate Garhart discuss websites and terms of use and the legal concepts...

Read More
Publication

California Attorney General Announces Enforcement Sweep of Mobile Applications

Shortly before Privacy Day, California Attorney General (Cal AG) Rob Bonta  announced  a California Consumer Privacy Act (CCPA) enforcement sweep that targeted mobile applications. The sweep focused on popular apps in the retail, travel...

Read More
Publication

Uber’s Former Chief Security Officer Found Guilty of Obstruction For Coverup of Data Breaches

On October 5, 2022, after a monthlong jury trial, former Uber Chief Information Security Officer Joseph Sullivan was found guilty of obstructing proceedings of the Federal Trade Commission (FTC) and misprision of a felony...

Read More
Publication

Privacy Policy Best Practices for Nonprofits

Welcome to EO Radio Show – Your Nonprofit Legal Resource . I’m happy to have my colleague Nate Garhart back for a discussion on privacy laws and how they affect website content development and online...

Read More
Publication

California Passes Landmark Privacy Protections for Children With Big Implications for Online Providers

Governor Newsom recently signed into law AB 2273 , the California Age-Appropriate Design Code Act (CA AADCA), making California the first state to pass broad privacy protections for children. The CA AADCA is modeled...

Read More
Publication

Using Multi-Factor Authentication as a Prerequisite to Cyber Liability Coverage

Multi-factor authentication (MFA) is more than an annoying popup or text message when logging onto a company’s website or platform. Not only is using MFA a sound security practice and good business, it is frequently...

Read More
Publication

California AG Signals Enforcement of the Global Privacy Control Under the CCPA

As companies prepare for the provisions of the California Privacy Rights Act (“CPRA”) to come into effect in January 2023, California Office of Attorney General (“OAG”) has signaled that companies should not wait to...

Read More