On June 28, 2018, California enacted one of the most far-reaching consumer protection privacy laws in the nation, the California Consumer Privacy Act of 2018 (Act), which is scheduled to go into effect on January 1, 2020. Applauded by many consumers and privacy advocates, the sweeping legislation places onerous new requirements and restrictions on businesses that collect and sell personal information of California residents. Companies that fail to comply with the law may be subject to private civil litigation brought by aggrieved consumers seeking recovery of statutory damages, in addition to enforcement by the California Attorney General and the imposition of hefty penalties. This article provides a brief overview of some of the key provisions in the new Act.
Territorial Reach of the Law
The Act applies to any entity that does business in the State of California and meets one or more of the following criteria: (1) has an annual gross revenue that exceeds $25 million; (2) collects, sells or shares personal information of 50,000 or more California consumers; or (3) receives 50 percent or more of its annual revenue from selling consumers’ personal information.
Protected Personal Information
The definition of protected personal information (PI) under the Act is exceedingly broad and encompasses any information that can be reasonably linked, directly or indirectly, to a particular individual or household. This expanded definition includes, but is not limited to:
-
Unique identifiers such as name, address, internet protocol (IP) address, email address, account name, social security number, driver’s license number or passport number
-
Other protected classifications under California or federal law
-
Commercial information such as records of personal property, products or services purchased, or other purchasing histories
-
Biometric information
-
Internet or other electronic network activity such as an individual’s browsing activity, search history, and interactions with websites or ads
-
Geolocation data
-
Audio, electronic, visual, thermal or olfactory information
-
Professional or employment-related information
-
Education information
-
Inferences that can be drawn to create a consumer profile reflecting an individual’s preferences, characteristics, behavior, attitudes, intelligence and activities.
The Act does not, however, protect personal information that is otherwise publicly available, nor does it protect the sale of such information to or from a consumer reporting agency for purposes of generating a consumer report. The Act also does not apply to protected health information governed under the Health Insurance Portability and Availability Act (HIPAA), the Gramm-Leach-Bliley Act or the Driver’s Privacy Protection Act.
Disclosure of PI Collected or Sold
The Act provides consumers with the right to seek disclosure of their personal information a business collects, sells or shares with third parties. The business must provide two or more methods for consumers to submit requests for information, such as a toll-free telephone number, mail, email, or an internet web page or portal.
A business that receives such a verifiable request is required to disclose this information to the consumer free of change, either by mail or electronically, within 45 days of receipt of the request. The business may seek an additional 45-day extension to respond to the request when reasonably necessary.
The Act requires businesses that collect personal information to disclose the:
-
Categories of personal information it has collected
-
Source(s) from which the information was collected
-
Business or commercial purpose for collecting or selling the personal information
-
Categories of third parties with which the personal information is shared
-
Specific information collected about the consumer.
Right to Opt Out / Opt In
All California consumers have the right to “opt out” of the sale of their personal information by a business to any third parties. Upon receipt of such a request, the business is prohibited from selling the consumer’s personal information. However, in no event shall a business sell the personal information of a consumer younger than 16 years of age, unless it has received authorization from the child’s parent or guardian to do so. The Act refers to this special requirement for minors as the right to “opt in.”
Internet Privacy Policy
Businesses that sell consumers’ personal information will be required to establish a “clear and conspicuous” link on their internet homepage to an internet web page titled “Do Not Sell My Personal Information.” This page will enable consumers to opt out of the sale of their personal information. The business shall not require consumers to create an account in order to exercise their right to opt out. The consumers’ right to opt out of the sale of their personal information also should be described in the business’s online privacy policy. Once a consumer has opted out, the business must comply with the request. Moreover, the business must wait at least 12 months from the date the consumer opts out before requesting the consumer to authorize the sale of his or her personal information.
Right to Be Forgotten
California consumers also can demand that a business delete any personal information collected about them. This so-called “right to be forgotten” is subject to certain limitations. For instance, a business is not required to delete a consumer’s personal information if it is necessary to:
-
Complete a transaction or contract with the consumer
-
Respond to security incidents or protect against fraudulent or illegal activity
-
Comply with legal obligations and other laws, such as the California Electronic Communications Privacy Act
-
Perform scientific, historical or statistical research in the public interest.
Antidiscrimination Provision
The Act expressly prohibits a business from discriminating against any consumers for exercising their rights under the new law. This includes discriminating against a consumer by denying goods or services, charging different prices, or providing a different level or quality of goods or services. Notably, however, the Act recognizes an exception for charging a different price or level of a good or service if the difference is “reasonably related to the value” of a consumer’s data. In addition, the Act permits businesses to offer consumers “financial incentives” for the collection and sale of their personal information.
General Exemptions
Despite its extraordinary breadth and scope, the Act enumerates several important exemptions. For instance, the Act does not restrict a business’s ability to:
-
Comply with other laws
-
Comply with a civil, criminal or regulatory investigation, subpoena or summons
-
Cooperate with law enforcement
-
Collect, use or sell “de-identified” consumer information that cannot reasonably identify a particular individual
-
Prosecute or defend legal claims
-
Collect or sell consumers’ personal information if all aspects of the transaction occurred wholly outside of California; for instance, the Act does not apply if (1) the personal information was collected while the consumer was outside California, (2) no part of the sale of the information occurred in California, and (3) no information collected while the consumer was in California is sold.
Private Right of Action to Sue
In a win for the plaintiffs’ bar, the Act permits a consumer to sue a business if the consumer’s (unencrypted and non-redacted) personal information has been the subject of a data breach. A consumer’s right to bring a civil action arises in the context of any “unauthorized access and exfiltration, theft or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices … to protect the personal information.” In bringing a civil suit on an individual or class-wide basis, the consumer may seek the greater of actual damages or statutory damages (not to exceed $750 per consumer per incident), in addition to injunctive or declaratory relief.
However, prior to filing suit, the consumer must provide the business with written notice of any intent to sue at least 30 days in advance. In addition, the consumer is required to notify the California Attorney General within 30 days of filing suit. The Attorney General must notify the consumer within 30 days thereafter if the government decides to prosecute an action for violation of the Act.
Civil Penalties
A business that violates any provision of the Act may be subject to civil penalties imposed by the California Attorney General of up to $7,500 for each violation.
Conclusion
The new California Consumer Privacy Act recognizes and enforces Californians’ right to privacy and control over their personal information. While the Act does not take effect until 2020, it is likely to spur other states – and perhaps the federal government – to enact broader legislative protections for the collection and use of individuals’ personal information. Meanwhile, all entities that do business in California and collect personal information of Californians should take prompt action to review and revise their privacy policies, internet web page, disclosures concerning the collection and sale of consumers’ personal information, consumer opt-out procedures and compliance with consumers’ right to be forgotten.