California Enacts Sweeping Privacy Law
In a unanimous vote on June 28, 2018, California lawmakers enacted a landmark, first-of-its-kind data privacy law that is intended to give consumers greater control over how their personal information is collected, stored, and sold by companies with whom they do business. Known as the “California Consumer Privacy Act of 2018,” the new law mirrors many of the protections recently enacted in the European Union’s General Data Protection Regulation (GDPR) and could dramatically alter how businesses handle the data of California residents. Under the new law, consumers will have a right to know what information is being collected and how it is shared. They can also opt out businesses being able to sell their information and request that businesses delete any personal information in their possession.
More specifically, the Consumer Privacy Act grants consumers the right to:
- Request a business to disclose, free of charge, the categories and specific pieces of personal information that it collects about them, the categories of sources from which that information is collected, the business purposes for collecting or selling the information and the categories of third parties with which the information is shared;
- Request deletion of personal information and require businesses to delete upon receipt of a verified request;
- Opt out of the sale of personal information by a business and prohibit the business from discriminating against the consumer for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or service (although, offering financial incentives to consumers who allow collection of their personal information is permitted); and
- Prohibit a business from selling the personal information of a consumer under 16 years of age, unless the consumer affirmatively opts in.
“Personal information,” as defined under the Privacy Act, is broadly defined and includes nearly every category of information that could be used to identify a consumer, including names, addresses, IP addresses, email accounts, social security numbers, purchasing and search histories, records of network and browsing activities, consumer profiles drawn from personal information that has been collected and many other categories if such information is not already publically available. However, the law does not apply to many other types of information already subject to regulation, such as HIPAA, the Gramm-Leach-Bliley Act, or the Fair Credit Reporting Act.
Businesses that: (1)have gross revenues in excess of $25 million; (2) buy, sell, or share the personal information of 50,000 or more consumers, households, or devices; or (3) derive 50 percent or more of their annual revenues from selling consumers’ personal information will be subject to the new law.
While the Consumer Privacy Act has many similarities to the recently enacted GDPR, there are also differences. Unlike the GDPR, the Consumer Privacy Act does not require the consumer to opt in before data can be collected and requires disclosure of information collected only upon request by the consumer. In addition, the Consumer Privacy Act does not allow for the targeted deletion of only specific information, and instead provides only for complete deletion of all personal data in a company’s possession upon request.
Companies that violate the provisions of the new law may be subject to enforcement actions by both the state Attorney General and private consumers. The law creates a new “Consumer Privacy Fund” and authorizes the Attorney General to impose civil penalties of up to $7,500 for each violation that is not cured within 30 days of notice being provided to the company. In addition, consumers who are harmed by data breaches stemming from a failure to safeguard their personal information may seek damages of up to $750 depending on the specific factors which led to the incident.
The law is set to go into effect January 1, 2020. However, prior to its passage, the bill faced strong criticism from technology and communications companies who argued that the law would stifle innovation. Given the intense opposition from tech companies and the fact that the law was passed by the California legislature, rather than as a more stringent ballot initiative, it remains to be seen whether the law will go into effect as written or will be amended to address tech industry concerns before 2020. As the issue of consumer privacy continues to gain importance, it is likely that California’s new law may just be the first of many state level data privacy laws to be enacted in the near future.