California Consumer Privacy Act of 2018

Verrill
Contact

Introduction

On June 28, a new law took effect in California that gives California residents greater control over the collection and processing of their personal information. The law, called The California Consumer Privacy Act of 2018 (the “Act”), incorporates principles similar to those in the European Union’s General Data Protection Regulation (GDPR), which took effect in May of this year. Businesses collecting personal information of California residents should assess their obligations under the Act and take any necessary steps to ensure compliance before the Act takes effect on January 1, 2020.

History and Posture

The California legislature quickly drafted and passed the Act during the last week in June in an effort to forestall a more consumer-friendly ballot initiative from going to the polls in the November election. The ballot initiative was approved by California voters in June, but it was subsequently withdrawn following the passage of the Act due to a compromise between the California legislature and the ballot initiative’s sponsors. It is expected that the Act will be further amended by the California legislature and interpreted by agency regulations. Although the major pillars of the Act are settled, a number of provisions still require further clarification.

Key Requirements Under the Act

As currently written, the Act requires certain businesses (described in more detail below) to disclose information to consumers about the personal information they collect, including the sources from which the information is collected, the purposes for collecting the information, and the third parties with whom the information is shared.

The Act defines “personal information” broadly to mean “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” It includes traditional identifiers like names and addresses, as well as commercial and biometric information, browsing and search history, geolocation data, and any “[i]nferences drawn from any information . . . to create a profile about a customer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.” Suffice it to say, the term “personal information” is especially broad.

The Act provides consumers the right to request that their personal information be erased. In most instances, businesses must comply with a consumer’s request to erase his or her personal information.

Consumers also have a right under the Act to opt out of the sale of their personal information, and the Act prohibits businesses from discriminating against consumers who choose to do so. However, businesses may charge consumers a different price or provide different quality goods or services when consumers opt out if “that difference is reasonably related to the value provided to the consumer by the consumer’s data.” There is considerable ambiguity surrounding this exception, and we expect more information to be released clarifying its meaning.

Importantly, the Act also creates a private right of action for consumers in some circumstances in the event of unauthorized access to or disclosure of their personal information, and the Act provides for statutory damages that could amount to more than actual damages. However, the Act only applies to the personal information of California residents, so this private right of action is limited.

To Whom the Act Applies

The Act applies to any business that collects California residents’ personal information and (i) has annual gross revenues over $25 million; (ii) buys, receives, sells, or shares the personal information of 50,000 or more consumers; or (iii) derives fifty percent or more of its annual revenues from selling consumers’ personal information. The Act does not apply to entities covered by the California Confidentiality of Medical Information Act or the Health Insurance Portability and Accountability Act (HIPAA).

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Verrill | Attorney Advertising

Written by:

Verrill
Contact
more
less

Verrill on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.