California enacted the California Consumer Privacy Act on June 28, 2018. This law broadly expands the rights of California residents in their personal information collected through online means. The law imposes requirements tied to disclosure of what personal data is collected, how it is used, and with whom a data collector shares this information. Individuals may opt out of having their data sold. Data collectors are also required to provide specific disclosures in connection with security breaches of the data. The California attorney general is authorized to bring enforcement actions for breach of the statute, and may assess fines for non-compliance. It also provides for a private right of action in connection with certain breaches. This law takes effect on January 2, 2020.
This law will impact the business activities of any company engaging in business activities where information of California residents is collected through online channels. Companies, even those without a physical presence in the State will need to become familiar with the law (and amendments thereto) in order to be compliant by the January 1, 2020 effective date.
The law’s genesis was a voter ballot initiative introduced by Alastair Mactaggart, a real estate developer that would have imposed even tougher privacy restrictions. After the measure garnered more than twice the amount of signatures needed to include it on state ballots in November, Mactaggart agreed to withdraw it if lawmakers passed legislation prior to the June 28 deadline for finalizing ballot propositions. Given industry support for legislative action (seen both as less onerous than the ballot provisions and also easier to amend subsequent to passage) the legislature hastily drafted and passed the bill, sending it to Governor Jerry Brown for signature.
In its current form beginning January 1, 2020, the law gives individuals a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared. Individuals will have the right to request deletion of personal information and the right to request that a business that sells personal information, or otherwise discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of those third parties to which the information was sold or disclosed. The law outlines the requirements for receiving, processing, and satisfying these requests from consumers. Further, companies may not sell the personal information of a consumer under 16 years of age, unless affirmatively authorized. Adult individuals may opt out of the sale of personal information by a business and the business may not charge individuals opting out a different price and may not provide the opting out individual with a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data (and businesses are permitted to offer financial incentives for collection of personal information). The definition of “selling” (information) is extremely broad and may be deemed to include any transfer of personal data to a third party in return for monetary or other “valuable” consideration. The definition of “personal information” is also expansive in nature.
Nothing in the law is intended to prevent or restrict a business from complying with other federal, state, or local laws, for example, a company’s obligations under HIPAA.
Opinions and conclusions in this post are solely those of the author unless otherwise indicated. The information contained in this blog is general in nature and is not offered and cannot be considered as legal advice for any particular situation. Any federal tax advice provided in this communication is not intended or written by the author to be used, and cannot be used by the recipient, for the purpose of avoiding penalties which may be imposed on the recipient by the IRS. Please contact the author if you would like to receive written advice in a format which complies with IRS rules and may be relied upon to avoid penalties.
[View source.]
