May 23, 2019

May 23, 2019

Subscribe to Latest Legal News and Analysis

May 22, 2019

Subscribe to Latest Legal News and Analysis

May 21, 2019

Subscribe to Latest Legal News and Analysis

May 20, 2019

Subscribe to Latest Legal News and Analysis

California Passes Legislation Significantly Changing Privacy Requirements for Entities Doing Business in the State

As we discussed in our prior alert, California voters had been poised to consider a citizen-initiated ballot measure that would have significantly expanded the privacy rights of California citizens and provided substantial penalties for noncompliant companies. In response to that ballot measure, the California legislature hastily pushed through privacy legislation despite the "grave, grave concerns" expressed by lawmakers.

Lawmakers were willing to enact the flawed legislation based on an assurance from the leader of the ballot measure that he would not submit the measure if the legislation was passed. However, because the deadline to submit ballot measures was June 28, 2018, lawmakers had to rush the legislation through both houses. And, since state law requires that legislation be in print for at least 72 hours before a vote, lawmakers had no opportunity to offer amendments.

Lawmakers were willing to engage in such a rushed course of action because, if the ballot measure had become law, both houses would have been required to approve any changes by a 70 percent vote instead of a simple majority. Also, because the legislation does not go into effect until January 1, 2020, lawmakers theoretically can fix any problems in the intervening time frame.

Despite its tumultuous legislative history, the legislation—titled the California Consumer Privacy Act of 2018—grants significant privacy rights to California residents. Any entity that does business in California and qualifies as a "business" under the Act will need to comply with the law or risk substantial financial penalty.

Consumer Rights

The legislation provides for the following consumer rights:

  • A consumer (defined as a California resident) has the right to request that a business (defined below) that collects a consumer's personal information (defined below) disclose to that consumer the categories and specific pieces of personal information that the business has collected.

  • A business that collects a consumer's personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business is forbidden from collecting additional categories of personal information or using personal information collected for additional purposes without providing notice to the consumer.

  • A consumer has the right to request that a business delete any personal information about the consumer that the business has collected.

  • A consumer has the right to request that a business that collects personal information about the consumer disclose: (a) the categories of personal information it has collected about that consumer, (b) the categories of sources from which the personal information is collected, (c) the business or commercial purpose for collecting or selling personal information, (d) the categories of third parties with whom the business shares personal information, and (e) the specific pieces of personal information it has collected about that consumer.

  • A consumer has the right to request that a business that sells the consumer's personal information, or that discloses it for a business purpose, disclose: (a) the categories of personal information that the business collected about the consumer, (b) the categories of personal information that the business sold about the consumer and the categories of third parties to whom the personal information was sold, by category or categories of personal information for each third party to whom the personal information was sold, and (c) the categories of personal information that the business disclosed about the consumer for a business purpose.

  • A consumer has the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer's personal information.

  • A business cannot sell the personal information of consumers if the business has actual knowledge that the consumer is younger than 16 years old, unless the consumer—in the case of consumers who are between 13 and 16—or the consumer's parent or guardian, in the case of consumers who are younger than 13, has affirmatively authorized the sale of the consumer's personal information.

To comply with these requirements, businesses are required to make available two or more methods for submitting consumer verified requests and the information must be provided to the consumer within 45 days of the verified request.

Relevant Definitions

The law defines "business" as an entity doing business in California that:

(a) has annual gross revenues in excess of $25,000,000;

(b) alone or in combination, annually buys, receives for the business' commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or

(c) derives 50 percent or more of its annual revenues from selling consumers’ personal information.

Because the law defines "consumer" as a California resident, the second and third categories should be interpreted to relate to California, and not nationwide, numbers.

The law defines "personal information" incredibly broadly as any "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." The law lists numerous categories of information that qualify as personal information

Online Privacy Notice Requirements

The law requires entities to list specific information in their online privacy policies, including:

  • a description of the consumers' rights as discussed above;

  • a list of the categories of personal information that the business has collected about consumers in the preceding 12 months;

  • a list of the categories of personal information it has sold about consumers in the preceding 12 months; and

  • a list of the categories of personal information it has disclosed about consumers for a business purpose in the preceding 12 months.

If applicable, a business also must provide a clear and conspicuous link on the business' homepage titled “Do Not Sell My Personal Information,” which should lead to a web page enabling a consumer—or a person authorized by the consumer—to opt out of the sale of the consumer's personal information. That information also should be provided in the business' online privacy policy.

Enforcement

The law creates a complicated enforcement mechanism for private litigants and the California Attorney General's office.

First, the legislation authorizes consumers to bring a civil action if their "nonencrypted or nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business' violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information." The law provides for statutory damages of not less than $100 and not greater than $750 "per consumer per incident."

Prior to initiating an action, the consumer must provide a business with 30 days' written notice, and the consumer cannot bring a claim for statutory damages if the business provides a written statement that the violations have been cured and will not continue. If an action is filed, the consumer must provide the Attorney General with notice, and the Attorney General's office is given leave to prosecute the violation.

For Attorney General enforcement actions, the statute allows the Attorney General to seek statutory damages of $2,500 for each violation or $7,500 for intentional violations.

Copyright © by Ballard Spahr LLP

TRENDING LEGAL ANALYSIS


About this Author

Malia Rogers, Ballard Spahr Law Firm, Denver, Finance Law Attorney
Associate

Malia K. Rogers is an associate in the firm's Public Finance Department. In addition to her focus in public finance, Malia has experience with privacy and cybersecurity matters.

Before entering the legal profession, Malia was a marketing and business development professional, including at eBay Enterprise.

Professional Activities...

303-299-7356
David Stauss, Ballard Spahr Law Firm, Denver, Privacy and Litigation Attorney
Partner

David M. Stauss focuses on complex business and commercial litigation in state and federal courts. He handles all aspects of litigation on a wide range of substantive matters for clients, including product liability, landowner liability, and commercial lending.

Mr. Stauss is head of the Denver office's privacy and cybersecurity practice group. He advises clients on regulatory and statutory compliance issues, third-party vendor management policies and contractual provisions, cyber liability insurance retention and coverage analysis, information security controls, incident response policies and plans, and data breach response.

303-299-7363
Taylor Steinbacher Attorney Ballard Spahr
Attorney

Taylor Steinbacher’s practice focuses on consumer financial services and commercial litigation, including individual actions and class action defense. He regularly represents businesses including banks, credit card issuers, and marketplace lenders in matters regarding consumer protection statutes, including the Telephone Consumer Protection Act (TCPA), the Fair Debt Collection Practices Act (FDCPA), as well as Unfair, Deceptive, or Abusive Acts and Practices (UDAAP) statutes and state usury laws. He also assists clients in drafting consumer-facing agreements, such as...

424-2040-4340
Gregory Szewczyk, Ballard Spahr Law Firm, Denver, Privacy and Litigation Attorney
Associate

Greg Szewczyk is a litigator with experience serving as a member of several trial and arbitration teams. His responsibilities include examining witnesses at trial; drafting opening and closing presentations; drafting dispositive, discovery and pretrial motions, as well as appellate briefs; taking and defending depositions; arguing evidentiary and procedural issues; preparing witnesses for testimony; and drafting scripts for direct and cross-examinations. He is also a member of the Denver office’s cybersecurity practice group.

303-299-7382