Takeaways

The California Consumer Privacy Act of 2018 provides consumers with broad rights to control use of their personal information by covered businesses.
Covered businesses will need to review and revise their existing privacy policies to make the required disclosures and to provide two methods for customers to inquire about use of their personal information.

On June 28, California Governor Edmund Gerald “Jerry” Brown, Jr. signed into law Assembly Bill 375, enacting The California Consumer Privacy Act of 2018. The new law provides consumers with expansive rights and control over the personal information obtained by or shared with covered businesses.

When does The California Consumer Privacy Act of 2018 go into effect?

January 1, 2020.

What are consumers’ rights under the new law?

  • Right to request disclosure of information collected about the individual (including categories and specific information)
  • Right to request disclosure of information about the individual that the covered business has sold or shared for business purposes
  • Right to request deletion of personal information held by a covered business (except, among other reasons, to enable solely internal uses that are reasonably aligned with the expectations of the consumer, to comply with a legal obligation, where retention is necessary to complete a transaction for the individual or reasonably anticipated in the context of a business’s ongoing relationship with the consumer, for security reasons such as to protect against fraudulent or illegal activity or to prosecute such activity)
  • Right to opt out of the sale of the consumer’s personal information
  • Right not to be discriminated against because of choices regarding her/his personal information.

Who is required to comply?

A covered business is any legal for-profit entity (and any entity that is controlled by or controls such entity) that collects personal information, which alone or with others determines the purposes and means of processing that information and which (a) has annual gross revenues exceeding $25 million or (b) annually buys, sells, receives or shares personal information of 50,000 consumers or more, or (c) derives 50 percent or more of annual revenues from selling consumer information.

What does “Personal Information” include?

Personal information includes, without limitation, information which identities a natural person residing in California (“consumer”) (such as name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, Social Security Number, driver’s license number, passport number, etc.), any categories of personal information in Civil Code §1798.80 (i.e., any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, Social Security Number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information), characteristics of protected classifications under California or federal law, commercial information, personal property records, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies, biometrics, internet activity (browsing history, search history, etc.), geolocation information, audio, electronic, visual, thermal, olfactory or similar information, professional or employment-related information, and education information.

What information is exempt?

  • Information collected by a covered business or which is governed by the Health Insurance Portability and Accountability Act (HIPAA),
  • Information from a consumer reporting agency,
  • Information collected through activities taking place wholly outside of California,
  • Information collected, processed, sold or disclosed pursuant to the Gramm-Leach-Bliley Act (GLBA), or
  • Information collected, processed, sold or disclosed pursuant to the Drivers Privacy Protection Act of 1994 (18 U.S.C. § 2721).

What disclosures are required?

Pre-request disclosures at point of collection or in the privacy policy:

At least two methods for submitting requests for disclosure must be provided, including a toll free phone number and website address. The privacy policy (which must be updated at least once every 12 months) must include a list of the categories of personal information being collected, sold or disclosed during the prior 12 months, the sources from which the information is collected, the categories of third parties with whom the information is shared, and the purposes for which the information is used or a statement that personal information has not been sold or disclosed during the prior 12 months. The covered business cannot use the collected information for other purposes without providing notice to consumers in advance of the new use. The privacy policy also must include a description of rights called “Do Not Sell My Personal Information” along with a link to a page enabling an opt-out.

The covered business’s website homepage must include a link called “Do Not Sell My Personal Information” linked to a page enabling an opt-out.

Upon Request:

Covered businesses must respond within 45 days to a verified request, but this period can be extended for another 45 days and up to a total of 90 days depending on the complexity of the information and circumstances. Any request must be verifiable as that of the individual whose information is being requested.

Disclosure may be by mail or electronically (if made electronically the information must be portable and in a usable format).

Disclosures must include the categories of information collected, the categories of sources from which the information is collected, the business purposes for collecting or selling the information, the categories of third parties with whom information has been shared or to whom sold during the prior 12 months including the categories of information sold or shared with each third party, and the specific pieces of personal information collected about the requesting individual. Disclosures must be free unless the business can show the request is repetitive or unfounded, in which case a reasonable fee may be charged.

Covered businesses are not required to respond to an individual’s request made more than twice in any 12-month period.

Can a business offer a financial incentive to a consumer for the collection, sale or deletion of information?

Yes, a covered business may offer payment to consumers as compensation or a different price, rate, level or quality of goods or services if the price difference is directly related to the value provided to the consumer by the consumer’s data. Such an incentive program must require the affirmative opt in of the consumer after notification of the terms of the incentives.

A covered business may not discriminate against a consumer because the consumer exercised its rights under the new law. For instance, a covered business may not deny goods or services to the consumer, charge different prices or rates for goods or services through the use of discounts, benefits or imposing penalties, provide a different level or quality of goods or services, or suggest that the consumer will receive a different price, rate or quality of goods or services if the consumer exercises its rights under the statute.

Who can enforce the statute?

A covered business shall be in violation of the new law if it fails to cure any alleged violation within 30 days after being notified of the alleged noncompliance. The California Attorney General can enforce this statute. In addition, a consumer can institute a legal action if, before suing, the consumer provides 30 days written notice to the covered business and the covered business does not cure the defect; the consumer notifies the Attorney General within 30 days of filing an action and the Attorney General, within 30 days, either notifies the consumer (a) that the Attorney General will prosecute the claim (but if no claim is filed within six months, the consumer may proceed), or (b) that the Attorney General will refrain from acting (in which case the consumer may proceed), or (c) that the consumer may not proceed with an action.

What are the penalties for violation?

If there has been an unauthorized access, exfiltration, theft or disclosure of personal information as a result of the covered business’s violation of a duty to implement reasonable security procedures, a consumer may recover damages not less than $100 but not greater than $750, plus injunctive or declaratory relief.

Any covered business that fails to cure a violation after notice shall be liable for penalties set out in Business & Professions Code §17206 ($2,500 per violation) in an action brought by the Attorney General.

Any person, business, or service provider that intentionally violates this title may be liable for a civil penalty of up to $7,500 for each violation.

These and any accompanying materials are not legal advice, are not a complete summary of the subject matter, and are subject to the terms of use found at: https://www.pillsburylaw.com/en/terms-of-use.html. We recommend that you obtain separate legal advice.