California Consumer Privacy Act of 2018

July 10, 2018 Alerts and Newsletters

Introduction

On June 28, a new law took effect in California that gives California residents greater control over the collection and processing of their personal information. The law, called The California Consumer Privacy Act of 2018 (the "Act"), incorporates principles similar to those in the European Union's General Data Protection Regulation (GDPR), which took effect in May of this year. Businesses collecting personal information of California residents should assess their obligations under the Act and take any necessary steps to ensure compliance before the Act takes effect on January 1, 2020.

History and Posture

The California legislature quickly drafted and passed the Act during the last week in June in an effort to forestall a more consumer-friendly ballot initiative from going to the polls in the November election. The ballot initiative was approved by California voters in June, but it was subsequently withdrawn following the passage of the Act due to a compromise between the California legislature and the ballot initiative's sponsors. It is expected that the Act will be further amended by the California legislature and interpreted by agency regulations. Although the major pillars of the Act are settled, a number of provisions still require further clarification.

Key Requirements Under the Act

As currently written, the Act requires certain businesses (described in more detail below) to disclose information to consumers about the personal information they collect, including the sources from which the information is collected, the purposes for collecting the information, and the third parties with whom the information is shared.

The Act defines "personal information" broadly to mean "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." It includes traditional identifiers like names and addresses, as well as commercial and biometric information, browsing and search history, geolocation data, and any "[i]nferences drawn from any information . . . to create a profile about a customer reflecting the consumer's preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes." Suffice it to say, the term "personal information" is especially broad.

The Act provides consumers the right to request that their personal information be erased. In most instances, businesses must comply with a consumer's request to erase his or her personal information.

Consumers also have a right under the Act to opt out of the sale of their personal information, and the Act prohibits businesses from discriminating against consumers who choose to do so. However, businesses may charge consumers a different price or provide different quality goods or services when consumers opt out if "that difference is reasonably related to the value provided to the consumer by the consumer's data." There is considerable ambiguity surrounding this exception, and we expect more information to be released clarifying its meaning.

Importantly, the Act also creates a private right of action for consumers in some circumstances in the event of unauthorized access to or disclosure of their personal information, and the Act provides for statutory damages that could amount to more than actual damages. However, the Act only applies to the personal information of California residents, so this private right of action is limited.

To Whom the Act Applies

The Act applies to any business that collects California residents' personal information and (i) has annual gross revenues over $25 million; (ii) buys, receives, sells, or shares the personal information of 50,000 or more consumers; or (iii) derives fifty percent or more of its annual revenues from selling consumers' personal information. The Act does not apply to entities covered by the California Confidentiality of Medical Information Act or the Health Insurance Portability and Accountability Act (HIPAA).

For further information on how Verrill Dana can assist with your business's compliance with the Act before its effective date on January 1, 2020, please reach out to your regular Verrill Dana attorney.

___________________________________________________________________
This communication is intended for general information purposes and as a service to clients and friends of Verrill Dana, LLP. This publication, which may be considered advertising under the ethical rules of certain jurisdictions, should not be construed as legal advice or a legal opinion on any specific facts or circumstances, nor does it create attorney-client privilege.

Firm Highlights

Publication/Podcast

New DOJ Task Force Announced Will Impact Health Care Providers & Prescribers in Northern New England

Major enforcement news was released today, Wednesday, June 29, 2022, for medical professionals and anyone working in or around the health care space in Maine , New Hampshire , and Vermont . The United...

Publication/Podcast

Connecticut’s new privacy law: What you need to know

As part of its growing privacy practice, Verrill is pleased to share this advisory on Connecticut’s new privacy law. Verrill is pleased to offer a sophisticated range of privacy and cybersecurity services. On May...

Publication/Podcast

Hospitals Win 340B Medicare Rate Cut Suit, But When, How, and How Much They Will Recoup Remains Unclear

In a recent unanimous decision, the Supreme Court found that the Centers for Medicare and Medicaid Services (“CMS”), part of the federal Department of Health and Human Services (“HHS”), erred when it significantly reduced...

Publication/Podcast

The PHE is Ending: Do You Know Where Your Waivers Are?

While the pandemic is not over, the COVID-19 public health emergency (PHE) is expected to expire soon, which means that a number of operational, safety, and billing standards that were waived at the beginning...

Publication/Podcast

What's Notable In DOJ's 1st Cyber-Fraud Initiative Settlement

Verrill attorneys David G. Lazarus , Michael K. Fee , and Jeffrey Smagula recently wrote the article "What's Notable In DOJ's 1st Cyber-Fraud Initiative Settlement" published in Law360 . The article reviews the U.S...

News

Maine Street Solutions Welcomes Peter Gore as Senior Governmental Relations Specialist

AUGUSTA, Maine – Maine Street Solutions is pleased to welcome Peter Gore as a Senior Government Relations Specialist. Gore brings nearly three decades of extensive experience in government relations, conflict resolution, grassroots and nonprofit...

Contact Verrill at (855) 307 0700