On June 28, 2018, California passed a new privacy law that is one of the most stringent consumer protection privacy laws in the nation. The California Consumer Privacy Act of 2018 (Act) introduces onerous new requirements and limitations on any businesses that collect and sell personal information of California residents.
The Act stipulates that companies that fail to comply with the law may be subject to litigation brought by aggrieved consumers for statutory damages, in addition to facing monetary penalties and enforcement by the California Attorney General. However, businesses have time to adjust their data protection practices as the Act is not scheduled to go into effect until January 1, 2020.
I. Who Does the Act Apply To?
The Act applies to any business entity doing business in California that collects consumers’ personal information, and that satisfies one or more of the following criteria: (1) the business has an annual gross revenue that exceeds $25 million; (2) the business alone annually buys, receives for the business’s commercial purposes, sells or shares for commercial purposes, the personal information of 50,000 or more consumers, households or devices; or (3) the business receives 50% or more of its annual revenue from selling consumers’ personal information.
The Act also applies to any entity that controls or is controlled by a business in one of the above three categories that shares common branding with such a business.
II. What Does the Act Include Changes To?
There are eight key components of the Act that bring new meaning to privacy regulations in California:
The Definition of ‘Personal Information’ Has Been Extended: The Act uses a very expansive definition of personal information. It includes “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” It also includes location data, purchasing or browsing history and education or employment information.
Disclosure of Personal Information That Is Sold or Collected by Businesses: The Act requires that businesses disclose to any consumer that requests such disclosure, the categories and specific pieces of personal information the business has collected on that consumer. The business must provide two or more methods for consumers to submit these disclosure requests, including a toll-free number. The Act requires businesses that collect personal information to disclose the:
• categories of personal information collected;
• source(s) from which the information was collected;
• the business or commercial purpose for collecting or selling the information;
• categories of third parties with which the information is shared; and
• specific information collected about the consumer.
Data Portability: A business that receives a consumer request to access personal information shall promptly take steps to disclose and deliver, free of charge to the consumer, the consumer’s personal information. The information may be delivered by mail or electronically, and if provided electronically, the information shall be in a portable and, to the extent technically feasible, in a readily useable format that allows the consumer to transmit this information to another entity without hindrance. A business may provide personal information to a consumer at any time, but shall not be required to provide personal information to a consumer more than twice in a 12-month period.
Website Privacy Policy: Before collecting any data, businesses must provide notice to consumers in the business privacy policy about their data practices, and businesses are prohibited from collecting additional personal information or using any existing personal information for additional or different use without notice to consumers. The privacy policy must be available through a “clear and conspicuous” link on the business’s website, and it must be easy for consumers to navigate.
Consumer’s Right to Opt Out: Consumers have the right, at any time, to direct a business not to sell the consumer’s personal information. A business that sells consumers’ personal information to third parties must provide notice to consumers that they have the right to opt out of the sale of their personal information. Businesses that intend to sell the information of consumers that are under the age of 16 must comply with strict opt-in requirements that require either consumer or parental consent.
Right to Be Forgotten: Under the Act, California consumers may demand that a business delete any personal information that has been collected about the consumer – i.e. the consumer has the “right to be forgotten.” This right is nonetheless subject to limitations including, but not limited to, if the personal information is required to complete a transaction, to detect security incidents, to identify errors in functionality or for legal reasons.
Non-Discrimination: Businesses are prohibited from discriminating against consumers based on the consumer exercising their rights under the Act. For example, a business cannot refuse to sell goods or provide services, to charge different prices for such goods or services, or to provide lower quality goods and services because a consumer exercises their rights under the Act. There are some exceptions to this provision, including that a business is not prohibited from charging different prices or providing different quality goods or services if the difference is “reasonably related” to the value of the consumer information at issue.
Private Right to Sue and Civil Penalties: The Act also grants the California Attorney General’s Office latitude to bring civil actions against an offending company. These civil actions can result in penalties of up to $7,500 per intentional violation of any provision of the Act, or $2,500 for unintentional violations, should the company fail to cure the unintentional violation within 30 days of notice. It is unclear in the Act whether the “per violation” requirement refers to incident per consumer or just per incident. Approximately 20% of the penalties collected by the state will be allocated to a new “Consumer Privacy Fund” to pay for future enforcement.
In the event of a civil class action lawsuit arising from data theft or other data security incidents, a court can order the breaching business to pay statutory damages between $100 to $750 per California resident and incident, or actual damages, whichever is greater, and any other relief a court deems proper, subject to an option of the California Attorney General’s Office to prosecute the business instead of allowing civil suits to be brought against it.
III. What Might California’s Passage of This Law Mean for Other States?
Following the EU’s implementation of the General Data Protection Regulation (GDPR) in May 2018, the Act may be the start of a similar cascade of stricter consumer data protection laws in the U.S. Currently, at least 13 states have some form of a data protection law, though the level of protection varies from state to state. The Act is the most far-reaching consumer protection law in the U.S. to date. It is likely that companies will look to the Act as a model. From now until the effective date of January 1, 2020, the California legislature is expected to pass “cleanup bills” to resolve any weaknesses in the Act. This may include more coherent guidelines for companies doing business in California.
