Following the European Union’s General Data Protection Regulation (GDPR), California recently jumped on the data privacy bandwagon when Gov. Jerry Brown signed the California Consumer Privacy Act into law in June. The new data privacy law—which was unanimously approved by the state legislature and is the strictest in the United States—is slated to go into effect Jan. 1, 2020. According to the Assembly Committee on Privacy and Consumer Protection, it gives Californians the right to know what personal information (PI) is being collected about them, whether their PI is being sold and to whom, the right to access their PI, the right to delete PI collected from them, and the right to opt-out to the sale of their PI. Further, children under 16 must actually opt in for their information to be sold.
The law faces opposition from dozens of business groups in the technology, retail, health, banking and entertainment sectors. However, the California legislature has approved an amendment, Senate Bill 1121, which purports to “clean up” the Consumer Privacy Act, make “a variety of technical corrections,” clarify the parameters for a private right of action, provide the attorney general with a six-month extension (until July 1, 2020) to write implementation regulations, and bar enforcement actions until July 1, 2020, or six months after the attorney general has published final regulations, whichever is earlier.
These changes do not go as far as many organizations had hoped, however. In an Aug. 6 letter to Sen. Bill Dodd, who introduced SB 1121 (which, as of this writing, awaits signature by Gov. Brown), entities including the California Chamber of Commerce, the Association of National Advertisers and the Motion Picture Association of America urged the legislature to make even more amendments to the statute. These include delaying implementation for an additional 12 months following the attorney general’s rulemaking process, substantially narrowing the definition of “personal information,” limiting the law’s protections to only those consumers whose information was obtained “as a result of the consumer’s purchase or use of a product or service for personal, family or household purposes,” and excluding employees’ personal information.
With more than a year until the Consumer Privacy Act’s current implementation date, it remains to be seen what further amendments will be proposed or passed. For the time being, these questions and answers should shed some light on the new regulation:
1. To whom does the law apply? Businesses that collect information from California residents and 1) have more than $25 million in annual gross revenue; 2) buy, receive, sell or share for commercial purposes the PI of 50,000 or more consumers, households or devices; and/or 3) derive 50% or more of their revenue from the sale of consumers’ PI.
2. What is the definition of personal information? Anything that is capable of being associated, or could reasonably be directly or indirectly linked with a particular consumer or household, including identifiers such as a name, alias, postal address, unique personal identifier, online identifier internet protocol address, email address, account name, social security number, driver’s license number or passport number is considered PI. Of note, any identifying information not otherwise publicly available would not be protected by the law.
The Consumer Privacy Act, however, specifically does not restrict a business’s ability to “[c]ollect, use, retain, sell or disclose consumer information that is deidentified or in the aggregate consumer information,” as long as the business has implemented technical safeguards and business processes that prohibit reidentification and does not attempt to reidentify the information.
3. What must companies disclose to California residents? Companies must disclose the categories and specific pieces of personal information collected about any given consumer, the sources from which that information is collected, the purpose for collecting or selling PI, the categories of PI sold and the categories of third parties with whom the PI is shared.
4. What are the opt-out requirements? As referenced above, consumers can prohibit businesses from selling their personal information. To comply with this opt-out option, companies must conspicuously post their privacy policies online as well as provide a link that specifically reads, “Do Not Sell My Personal Information.”
The statute also prohibits businesses from discriminating against consumers who exercise their rights, such as refusing to sell to them or charging different rates for goods or services (unless the difference is reasonably related to the value provided to the consumer by the consumer’s data). The law does, however, allow businesses to offer financial incentives to consumers relating to the sale of their personal information.
5. Who can bring suit under the California Consumer Privacy Act? Unlike the proposed ballot initiative, the power to enforce the law almost exclusively rests with the state attorney general. However, in data breach cases where the attorney general declines to prosecute within 30 days of being notified of a consumer’s intent to bring suit, the consumer can proceed with an action. Companies must be given 30 days’ written notice and an opportunity to “cure” the noticed violation within that time period. Likewise, businesses will have 30 days to cure any violations after receiving notice of noncompliance from the state attorney general.
The other good news for California companies is that the law does not impose monumental fines such as those contemplated under the GDPR—the greater of €20 million or 4% of a business’s annual worldwide turnover. Instead, the Consumer Privacy Act permits consumers to recover the greater of up to $750 per violation or their actual damages. Where a business has intentionally violated the statute, the attorney general can also recover a civil penalty of up to $7,500 per violation.