California Passes Legislation Significantly Changing Privacy Requirements for Entities Doing Business in the State
As we discussed in our prior alert, California voters had been poised to consider a citizen-initiated ballot measure that would have significantly expanded the privacy rights of California citizens and provided substantial penalties for noncompliant companies. In response to that ballot measure, the California legislature hastily pushed through privacy legislation despite the "grave, grave concerns" expressed by lawmakers.
Lawmakers were willing to enact the flawed legislation based on an assurance from the leader of the ballot measure that he would not submit the measure if the legislation was passed. However, because the deadline to submit ballot measures was June 28, 2018, lawmakers had to rush the legislation through both houses. And, since state law requires that legislation be in print for at least 72 hours before a vote, lawmakers had no opportunity to offer amendments.
Lawmakers were willing to engage in such a rushed course of action because, if the ballot measure had become law, both houses would have been required to approve any changes by a 70 percent vote instead of a simple majority. Also, because the legislation does not go into effect until January 1, 2020, lawmakers theoretically can fix any problems in the intervening time frame.
Despite its tumultuous legislative history, the legislation—titled the California Consumer Privacy Act of 2018—grants significant privacy rights to California residents. Any entity that does business in California and qualifies as a "business" under the Act will need to comply with the law or risk substantial financial penalty.
The legislation provides for the following consumer rights:
A consumer (defined as a California resident) has the right to request that a business (defined below) that collects a consumer's personal information (defined below) disclose to that consumer the categories and specific pieces of personal information that the business has collected.
A business that collects a consumer's personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business is forbidden from collecting additional categories of personal information or using personal information collected for additional purposes without providing notice to the consumer.
A consumer has the right to request that a business delete any personal information about the consumer that the business has collected.
A consumer has the right to request that a business that collects personal information about the consumer disclose: (a) the categories of personal information it has collected about that consumer, (b) the categories of sources from which the personal information is collected, (c) the business or commercial purpose for collecting or selling personal information, (d) the categories of third parties with whom the business shares personal information, and (e) the specific pieces of personal information it has collected about that consumer.
A consumer has the right to request that a business that sells the consumer's personal information, or that discloses it for a business purpose, disclose: (a) the categories of personal information that the business collected about the consumer, (b) the categories of personal information that the business sold about the consumer and the categories of third parties to whom the personal information was sold, by category or categories of personal information for each third party to whom the personal information was sold, and (c) the categories of personal information that the business disclosed about the consumer for a business purpose.
A consumer has the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer's personal information.
A business cannot sell the personal information of consumers if the business has actual knowledge that the consumer is younger than 16 years old, unless the consumer—in the case of consumers who are between 13 and 16—or the consumer's parent or guardian, in the case of consumers who are younger than 13, has affirmatively authorized the sale of the consumer's personal information.
To comply with these requirements, businesses are required to make available two or more methods for submitting consumer verified requests and the information must be provided to the consumer within 45 days of the verified request.
The law defines "business" as an entity doing business in California that:
(a) has annual gross revenues in excess of $25,000,000;
(b) alone or in combination, annually buys, receives for the business' commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or
(c) derives 50 percent or more of its annual revenues from selling consumers’ personal information.
Because the law defines "consumer" as a California resident, the second and third categories should be interpreted to relate to California, and not nationwide, numbers.
The law defines "personal information" incredibly broadly as any "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." The law lists numerous categories of information that qualify as personal information
Online Privacy Notice Requirements
The law requires entities to list specific information in their online privacy policies, including:
a description of the consumers' rights as discussed above;
a list of the categories of personal information that the business has collected about consumers in the preceding 12 months;
a list of the categories of personal information it has sold about consumers in the preceding 12 months; and
a list of the categories of personal information it has disclosed about consumers for a business purpose in the preceding 12 months.
The law creates a complicated enforcement mechanism for private litigants and the California Attorney General's office.
First, the legislation authorizes consumers to bring a civil action if their "nonencrypted or nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business' violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information." The law provides for statutory damages of not less than $100 and not greater than $750 "per consumer per incident."
Prior to initiating an action, the consumer must provide a business with 30 days' written notice, and the consumer cannot bring a claim for statutory damages if the business provides a written statement that the violations have been cured and will not continue. If an action is filed, the consumer must provide the Attorney General with notice, and the Attorney General's office is given leave to prosecute the violation.
For Attorney General enforcement actions, the statute allows the Attorney General to seek statutory damages of $2,500 for each violation or $7,500 for intentional violations.