In a compromise to avoid a ballot measure, at the very last moment on the very last day, just before the stroke of midnight, on June 29, 2018, the California legislature passed and Governor Brown signed into law the California Consumer Privacy Act of 2018 (the “Act”), which takes effect on January 1, 2020. Many of its provisions are similar to the General Data Protection Regulations (“GDPR”), which took effect in Europe at the end of May, and required companies to institute new internal data privacy regimes. So, while those companies which prepared for the GDPR are well on their way to gaining compliance with this new law, there is still much to be done by them and especially those companies which were not impacted by the GDPR.
Moreover, it is not clear whether the new law is in its final form. Commentators opine that legislators may want to amend the Act prior to implementation, and by its provisions, the Attorney General (“AG”) is to solicit public participation in adopting regulations to implement the provisions of the Act.
As we wait for those regulations and any possible legislative changes and/or regulatory clarifications, there are some key provisions businesses in California, and those who do business with Californians, will want to know.
- The Act defines those companies which are subject to its provisions, namely, as companies: 1) with annual gross revenues in excess of $25 million; 2) who alone or in conjunction with others annually buy, sell, receive or share for commercial purposes, the personal information of 50,000 or more consumers, households, or devices; or 3) who derive 50% or more of their annual revenues from selling consumer personal information.
- The Act also broadly defines personal information, this time to include any data that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, including but not limited to a real name, alias, postal address, unique personal identifier, online identifier Internal Protocol address, email address, account name, social security number, driver’s license number, passport number and other similar identifiers; and then includes any personal information already defined in the law at Civil Code 1798.80, which adds to the list: signature, physical characteristics or description, telephone number, state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.
- California consumers will have the right to know the categories and details of any personal information collected and the related purposes and uses, along with the sources from which the data was collected and the third parties with whom the business shares or sells the personal information; and additional purposes/uses cannot be implemented without consumer consent.
- California consumers will now have the right to demand the specific information being maintained about them, although no more than twice in a 12 month period and such demands will be subject to verification of the requesting party. Businesses are given 45 days to respond although if “reasonably necessary” and the consumer is given notice, a total of 90 days to respond is possible. The information disclosed to consumers must be delivered free of charge and in as useable a portable fashion as possible.
- California consumers will also have the right to opt out of having their personal information sold and companies are mandated to conspicuously provide instructions for doing so by way of a link entitled “Do Not Sell My Personal Information” which must be prominently placed either on the company’s home page or that page which is directed to California consumers.
- California consumers will also have the right to be forgotten, unless the data is necessary for the business or service provider for legitimate uses, such as completing the transaction and security and system integrity reasons. Interestingly, while the GDPR includes a provision giving the consumer the right to demand the correction of personal information the consumer believes is wrong, nothing comparable is mentioned in this new law.
- Data of those 16 and younger cannot be sold absent affirmative opt-in consent by minors between 13 and 16, and by a parent or guardian for those under 13.
Finally, when it comes to enforcement, the new law puts enforcement in the hands of the Attorney General with the range of fines capped at $7,500 per violation. Class action and private right of action are specifically barred. However, a consumer may file a civil action if his or her “non-encrypted or non-redacted” personal information is the subject of a breach. (The damages in that context are limited to between $100 and $750 per consumer per incident or actual damages, whichever is greater.) At the same time, the consumer does have the right to seek injunctive or declaratory relief or any other relief the court deems proper.
For more details, the full text of the Act can be found here: California Consumer Privacy Act of 2018.