California is taking the lead when it comes to data privacy protection. While the requirements of the California Consumer Privacy Act of 2018 are not as stringent as the European Union’s General Data Protection Requirements (GDPR), the state will require businesses to take several additional steps to safeguard consumer privacy.
California Consumer Privacy Act of 2018
Gov. Jerry Brown signed the California Consumer Privacy Act of 2018 (California Consumer Privacy Act) into law on June 28, 2018. Beginning January 1, 2020, consumers will have the right to request that a business to disclose the following:
- The categories of personal information it has collected about that consumer;
- The categories of sources from which the personal information is collected;
- The business or commercial purpose for collecting or selling personal information;
- The categories of third parties with whom the business shares personal information; and
- The specific pieces of personal information it has collected about that consumer.
Like the GDPR, the new law creates a “right to be forgotten.” It specifically grants a consumer the right to request deletion of personal information and mandates businesses to delete such information upon receipt of a verified request. Consumers will also have the right to request that a business which sells the consumer’s personal information or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of 3rd parties to which the information was sold or disclosed. Under California’s new privacy law, a business will be required to provide this information within 45 days of receiving a verifiable consumer request.
The California Consumer Privacy Act also authorizes a consumer to opt out of the sale of personal information by a business and prohibits the business from discriminating against the consumer for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data. At the same time, the new law does authorize businesses to offer financial incentives for the collection of personal information. Additionally, California’s new privacy law bans businesses from selling the personal information of a consumer under 16 years of age, unless the children or their parents expressly opt in.
Businesses must also take certain steps to inform consumers about their privacy rights. For instance, they must provide a clear and conspicuous link on their Internet homepage, titled “Do Not Sell My Personal Information,” to a separate Web page that enables a consumer, or a person authorized by the consumer, to opt out of the sale of the consumer’s personal information. A business may not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information. The law also mandates that businesses provide at least two methods for consumers to make requests for information required to be disclosed (at a minimum a toll-free telephone number and, if applicable, a Web site address).
Under the law, civil penalties of up to $7,500 may be imposed per violation. When a breach of personal information occurs, the law entitles aggrieved consumers to statutory damages of no less than $100 and no more than $750 per consumer per incident, or actual damages, whichever is greater.
Businesses Subject to this California Law
The California Consumer Privacy Act won’t just impact businesses that call California home. The law applies to any for-profit business entities that do business in California, collects consumers’ personal information, and meets one or more of the following criteria: (1) have annual gross revenues greater than twenty-five million dollars ($25,000,000); (2) buy, receive, sell, or share personal information of 50,000 or more consumers annually; or (3) derive 50 percent or more of its annual revenues from selling consumers’ personal information. A “consumer” is defined as a natural person who is a California resident and includes California residents while they are traveling.
According to the International Association of Privacy Professionals, more than 500,000 U.S. businesses will fall under the purview of the new privacy law. Because many large businesses have taken steps to comply with GDPR, they should be in a good position to meet the new requirements of California’s privacy law. However, small and medium-sized businesses that are not subject to the GDPR should begin the process of reviewing their privacy policies and procedures to ensure they prepared to comply with the California Consumer Privacy Act by the end of this year.
Businesses should also closely monitor other state-level privacy laws that may impact their operations.
If you have questions, please contact us
If you have any questions or if you would like to discuss the matter further, please contact me, David Einhorn, or the Scarinci Hollenbeck attorney with whom you work, at 201-806-3364.