Jarno Vanto and Reece Clark
On June 28, 2018, Governor Jerry Brown signed a new privacy law that will allow California residents to exercise more control over the personal information companies collect on them and impose new penalties for noncompliance. The law is a first of its kind in the United States and is similar in some ways to Europe’s new General Data Protection Regulation (GDPR). The law will go into effect January 1, 2020, allowing companies time to prepare and adjust their business practices.
Known as the California Consumer Privacy Act of 2018 (AB 375), the law is a legislative response to a successful ballot initiative campaigned by the interest group “Californians for Consumer Privacy.” Once approved for the November ballot, lawmakers moved quickly to craft legislation that offers a more measured approach to consumer privacy than the ballot initiative. As drafted however, the law hews relatively close to the ballot initiative, prompting Californians for Consumer Privacy to withdraw their proposal. Lawmakers anticipate this law will be amended in the run-up to 2020 to further harmonize business interests and consumer protections.
What Does the Law Do?
The law gives consumers additional control over their personal information and new rights they may exercise with companies collecting their personal information. For example, the law provides for all of the following:
What Should I Do?
- Required Disclosures. The law will require new disclosures regarding consumer personal information. For example, a business may be required to disclose the purposes for which it collects or sells personal information, the categories of personal information that it collects, the sources from which that information is collected, and the categories of third parties with which the information is shared.
- Consumer Rights. The law grants consumers new rights similar to the GDPR’s data subject rights. Consumers will be able to request, for example, deletion of personal information from a business upon the business’ receipt of a verified request.
- Limited “Opt-Out” Discrimination. The law will prevent a business from charging a consumer who “opts-out” of disclosing personal information a different price, or providing a different quality of service, unless the difference is reasonably related to value provided by the consumer’s data.
- Enforcement Mechanisms. The law gives new enforcement powers to the Attorney General for noncompliance and a private right of action to individuals in connection with certain unauthorized access and exfiltration, theft, or disclosure of a consumer’s non-encrypted or non-redacted personal information, making it easier for individuals to sue companies after a data breach.
- Penalties. The law provides that any person, business, or service provider that intentionally violates the law may be liable for a civil penalty of up $7,500 per violation. The law will also allow recovery of damages in a private right of action for an amount not to exceed $750 per incident or actual damages, whichever is greater.
- Restricted Sale of Personal Data. The law will curb the sale and resale of personal data by third parties who receive personal data from a business, unless the disclosing business has given consumers explicit notice and the opportunity to “opt-out.”
- Age Restrictions. The law will prevent the sale of personal information of a consumer under the age of 16, unless affirmatively authorized through an “opt-in.” For individuals under the age of 13, parental consent will also be required.
- A Definition of “Personal Information.” The law defines “personal information” with reference to a broad list of characteristics and behaviors, personal and commercial, as well as inferences drawn from this information. The concept is much broader than the traditional United States understanding of personally identifiable information, bringing it closer to the GDPR definition of “personal data.”
If your business collects consumer personal information, whether for marketing purposes or in the course of providing your products or services, now is the time to reevaluate your privacy practices. While January 1, 2020 is more than a year away, achieving compliance early can save your business from costly enforcement actions. Privacy laws are rapidly changing across the globe. To be sure your business is in compliance with the law, whether now in effect or coming soon, it is critical to work with experienced counsel to evaluate your risk exposure. Polsinelli attorneys have experience in privacy and information security work and can help analyze the complex privacy challenges your business faces.