By: Richard S. Eisert, Gary A. Kibel and Vivian Wang
The California legislature recently passed the California Consumer Privacy Act of 2018 (the Act), which imposes significant privacy-related obligations on entities that do business in California. The bill was passed in response to a much more stringent California ballot initiative on the condition that the initiative would be withdrawn. The Act has many similar concepts to Europe’s GDPR.
The Act is primarily an “opt out” law, but it also contains some new “opt in” standards. It applies to companies doing business in California that meet certain gross revenue standards; buy or receive personal information of 50,000 or more consumers, households, or devices; or derive half or more of their annual revenues from selling consumers’ personal information. Some highlights of the Act include the following provisions:
- Access: Consumers have a right to request that businesses disclose the categories and specific pieces of personal information that they collect about them, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared. Requests must generally be honored within 45 days.
- Deletion: Consumers have the right to request that businesses delete their personal information.
- Portability: Consumers have a right to receive their personal information from the business in order to take it elsewhere.
- Sale Opt-Out: If a business intends to sell the personal information of a consumer, the business must provide notice and an opportunity to opt-out, with certain limited exceptions.
- Definition of Personal Information: The definition of personal information is broader and includes browsing and search history, geolocation data and inferences drawn from data to create a profile that reflects a consumer’s trends, preferences and behavior.
- No discrimination: It prohibits businesses from discriminating against consumers that have opted out. Notably, businesses may offer financial incentives to consumers for the collection of their personal information.
- Personal Information of Children: The Act prohibits businesses from selling personal information of a consumer under 16 years of age, unless affirmatively authorized via an “opt in.”
- Financial Damages: Consumers have a private right of action in the event of a data breach and may recover damages in an amount up to $750 per consumer per incident, or actual damages, whichever is greater. The state attorney general can also sue for intentional violations of privacy at up to $7,500 each. For both consumer and AG lawsuits, there is a 30 day cure period.
There are numerous other requirements under the Act, many of which will be new concepts to companies doing business in the U.S. The news is not all negative for businesses, as there is an ability to cure any deficiencies and to escape liability for third party service providers if proper controls are put in place.
The Bottom Line
The Act becomes operative on January 1, 2020. In the meantime, the Attorney General will issue more detailed regulations. Nevertheless, companies doing business in California that collect consumers’ personal information – online or otherwise – should begin considering how to comply with this new privacy law as soon as possible.
Digital Media, Technology & Privacy Partner
Davis & Gilbert LLP
212.468.4863 // reisert@dglaw.com
Digital Media, Technology & Privacy Partner
Davis & Gilbert LLP
212.468.4918 // gkibel@dglaw.com
Digital Media, Technology & Privacy Associate
Davis & Gilbert LLP
212.468.4927 // vwang@dglaw.com