The Bottom Line
- The Act becomes operative on January 1, 2020. In the meantime, the Attorney General will issue more detailed regulations.
- Nevertheless, companies doing business in California that collect consumers’ personal information — online or otherwise — should begin considering how to comply with this new privacy law as soon as possible.
The California legislature has passed, and Governor Jerry Brown has signed into law, a bill known as the California Consumer Privacy Act of 2018 (the Act), which imposes significant privacy-related obligations on entities that do business in that state. The bill was quickly passed so that sponsors of a much more stringent California ballot initiative would withdraw their proposal (public support for which was polling high) just as it was about to be certified for November, avoiding the potential for companies to have been subject to even tougher rules. Some have called the Act “GDPR-light” since it implements many similar concepts from the new European law.
The initiative was spearheaded by a California real estate developer with no ties to the technology or digital industries, and was strongly opposed by those industries. While both the initiative and this new law allow customers greater access to and control over the personal information gathered about them, the initiative would have allowed individuals to bring civil suits against companies that breached the initiative’s requirements and seek damages without proving actual harm (the new law does not allow civil suits in connection with most claims for damages, other than in connection with a data breach).
Further, amending the initiative, if it had taken effect, would have been difficult. By its terms, it could only be amended by a 70 percent vote of the legislature. While the Act maintains many of the consumer rights and company obligations of the initiative, it significantly reigns in the potential remedies and damages.
The California Consumer Privacy Act of 2018
The California Consumer Privacy Act of 2018 is primarily an “opt out” law, but it also contains some new “opt in” standards. It applies to companies doing business in California that meet certain gross revenue standards; buy or receive personal information of 50,000 or more consumers, households, or devices; or derive half or more of their annual revenues from selling consumers’ personal information.
In particular, some highlights of the Act include the following provisions:
- Access: Grants consumers a right of access to request that businesses disclose the categories and specific pieces of personal information that they collect about them, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared. Requests must be honored within 45 days, with possible extensions.
- Deletion: Grants consumers the right to request that businesses delete the personal information held about such consumer.
- Portability: Provides a right of portability for consumers to receive their personal information from the business in order to take it elsewhere.
- Sale Opt-Out: If a business intends to sell the personal information of a consumer, the business must provide notice and an opportunity to opt-out, however, there are exceptions for mergers and acquisition transactions in which the entire business is being transferred and not just the personal information.
- Definition of Personal Information: The definition of personal information is broad and includes browsing and search history, geolocation data and inferences drawn from data to create a profile that reflects a consumer’s trends, preferences and behavior.
- No discrimination: It prohibits businesses from discriminating against consumers that have opted out, including by charging them a different price or providing them a different quality of goods or services, except if the difference is reasonably related to the value provided by the data. Notably, businesses may offer financial incentives to consumers for the collection of their personal information.
- Personal Information of Children: The Act prohibits businesses from selling personal information of a consumer under 16 years of age, unless affirmatively authorized via an “opt in.”
- Financial Damages: The Act provides a limited private right of action for consumers in the event of a data breach. In those instances, consumers may recover damages in an amount ranging from $100 to $750 per consumer per incident, or actual damages, whichever is greater.
There are numerous other requirements under the Act, many of which will be new concepts to companies doing business in the U.S. The news is not all negative for businesses, as there is an ability to cure any deficiencies and to escape liability for third party service providers if proper controls are put in place.