What are the key takeaways from the Act?

• A consumer has a right to request that a business disclose the categories and specific pieces of personal information that the business collects about the consumer and whether that information is shared with third parties. A business must provide this information free of charge within 45 days of receiving the request from the consumer;
• Businesses which collect personal information will be required, at or before the time of collection, to inform consumers the categories of information that will be collected and the business purpose for which the personal information will be used;
• Consumers have the right to object and opt out of the sale or sharing of their personal information. Businesses will be required to include an option on their website where consumers can select "Do Not Sell My Personal Information" in order to opt out;
• A consumer will have the right to request that a business delete any personal information which the business has collected from the consumer; and
• The sale of personal information of children under 16 years old will require an opt-in. For children between 13 and 16, the child can provide the opt-in. For children younger than 13, the parent must provide the opt-in.

Who is protected by the Act?

The Act defines "consumers" as natural persons who are California residents. With the fifth-largest economy in the world, there is a strong likelihood that most companies serve consumers in California even without a physical presence in the state.

Who must comply with the Act?

A "business" subject to the Act is a for-profit entity that does business in the State of California and satisfies one or more of the following thresholds: (1) the business has annual gross revenues in excess of $25 million; (2) buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices; or (3) derives 50 percent or more of its annual revenues from selling the personal information of consumers. The calculation of these thresholds includes both parent companies and all subsidiaries.

The Act does provide certain exemptions from compliance if "every aspect of that commercial conduct takes place wholly outside of California." A business qualifies for this exemption if it (a) collected the information while the consumer was outside of California; (b) no part of the sale of the consumer's personal information occurred in California; and (c) no personal information collected while the consumer was in California is sold.

Penalties and Enforcement Under the Act

The Act provides for a private right of action for unauthorized access to a consumer's unencrypted and unredacted personal information. The California Attorney General can also impose a fine of up to $7,500 per violation.

What Should Financial Service Providers Be Doing to Prepare for the Act?

With less than 18 months until the Act goes into effect, financial service providers should begin an immediate evaluation of whether they will be subject to the Act. The Act does provide for certain exemptions under the Gramm-Leach-Bliley Act (GLBA). However, financial service providers would still need to comply with the Act for personal information collected from California residents beyond what is collected under the GLBA. All financial service providers should be proactive in reviewing their current procedures and implementing new protocols to ensure compliance with the Act.