California Consumer Privacy Act of 2018
On June 28, a new law took effect in California that gives California residents greater control over the collection and processing of their personal information. The law, called The California Consumer Privacy Act of 2018 (the “Act”), incorporates principles similar to those in the European Union’s General Data Protection Regulation (GDPR), which took effect in May of this year. Businesses collecting personal information of California residents should assess their obligations under the Act and take any necessary steps to ensure compliance before the Act takes effect on January 1, 2020.
History and Posture
The California legislature quickly drafted and passed the Act during the last week in June in an effort to forestall a more consumer-friendly ballot initiative from going to the polls in the November election. The ballot initiative was approved by California voters in June, but it was subsequently withdrawn following the passage of the Act due to a compromise between the California legislature and the ballot initiative’s sponsors. It is expected that the Act will be further amended by the California legislature and interpreted by agency regulations. Although the major pillars of the Act are settled, a number of provisions still require further clarification.
Key Requirements Under the Act
As currently written, the Act requires certain businesses (described in more detail below) to disclose information to consumers about the personal information they collect, including the sources from which the information is collected, the purposes for collecting the information, and the third parties with whom the information is shared.
The Act defines “personal information” broadly to mean “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” It includes traditional identifiers like names and addresses, as well as commercial and biometric information, browsing and search history, geolocation data, and any “[i]nferences drawn from any information . . . to create a profile about a customer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.” Suffice it to say, the term “personal information” is especially broad.
The Act provides consumers the right to request that their personal information be erased. In most instances, businesses must comply with a consumer’s request to erase his or her personal information.
Consumers also have a right under the Act to opt out of the sale of their personal information, and the Act prohibits businesses from discriminating against consumers who choose to do so. However, businesses may charge consumers a different price or provide different quality goods or services when consumers opt out if “that difference is reasonably related to the value provided to the consumer by the consumer’s data.” There is considerable ambiguity surrounding this exception, and we expect more information to be released clarifying its meaning.
Importantly, the Act also creates a private right of action for consumers in some circumstances in the event of unauthorized access to or disclosure of their personal information, and the Act provides for statutory damages that could amount to more than actual damages. However, the Act only applies to the personal information of California residents, so this private right of action is limited.
To Whom the Act Applies
The Act applies to any business that collects California residents’ personal information and (i) has annual gross revenues over $25 million; (ii) buys, receives, sells, or shares the personal information of 50,000 or more consumers; or (iii) derives fifty percent or more of its annual revenues from selling consumers’ personal information. The Act does not apply to entities covered by the California Confidentiality of Medical Information Act or the Health Insurance Portability and Accountability Act (HIPAA).
For further information on how Verrill Dana can assist with your business’s compliance with the Act before its effective date on January 1, 2020, please reach out to your regular Verrill Dana attorney.