What You Need to Know About California’s New Privacy Law
On the heels of the European Union’s implementation of the General Data Protection Regulation (“GDPR”), on June 28, 2018, California enacted the most comprehensive data privacy law to date in the United States. The California Consumer Privacy Act of 2018 (the “Act”) was quickly passed by the California legislature to secure the withdrawal of an even more far reaching measure that had qualified for the November ballot. The sponsor of the ballot initiative agreed to withdraw the measure if the legislature passed a consumer privacy bill prior to the June 29th withdrawal deadline. Given the difficulty of making any revisions to a measure enacted by initiative rather than by the normal legislative process, the legislature quickly adopted and the governor signed the Act into law in only seven days. Legislative amendments to the Act are expected before it goes into effect on January 1, 2020, and the Act also requires the California Attorney General to develop certain implementing regulations.
Who Has to Comply?
As passed, the Act is likely to affect not only many California businesses, but a large number of businesses that merely have an online presence in California. The Act applies to for-profit entities, located anywhere in the world, that do business in California, collect (or engage a third party to collect) the personal information of California residents and satisfy at least one of the following: (1) have over $25 million in annual gross revenue; or (2) buy, sell, receive or share for commercial purposes, the personal information of 50,000 or more California residents, households or devices on an annual basis; or (3) derive 50 percent or more of their revenue from the sale of personal information of California residents (any such entity that is a “covered business”). It also applies to any parent or subsidiary of a covered business using the same branding.
As written, non-profits, small companies, and those businesses that do not traffic in large amounts of personal information, and do not share a brand with an affiliate who is covered by the Act, will not have to comply with the Act.
How is Personal Information Defined?
The Act defines “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The Act provides a non-exhaustive list of examples that includes some expansive examples. For example, personal information includes “commercial information,” including “records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies”; “Internet or other electronic network activity information,” including browsing and search histories; “education information”; and “[a]udio, electronic, visual, thermal, olfactory, or similar information.”
Personal information does not include the following: (1) information that lawfully is made available from federal, state or local government records that is used for a purpose that is compatible with the purpose for which such data is so maintained; (2) protected health information that is governed by the California Confidentiality of Medical Information Act or the Health Insurance Portability and Availability Act of 1996 (“HIPAA”); (3) personal information governed by the Fair Credit Reporting Act; (4) personal information governed by Gramm-Leach-Bliley Act; and (5) personal information governed by the Driver’s Privacy Protection Act of 1994. The Act does not apply to de-identified personal data, as long as the de-identification measures meet the Act’s very strict standards, or to aggregate consumer information, which also is defined strictly by the Act.
What Rights are Consumers Given?
The Act gives “consumers” (defined as natural persons who are California residents) four basic rights in relation to their personal information:
- The right to “opt out” of allowing a business to sell their personal information to third parties (or, for consumers who are under 16 years old, the right not to have their personal information sold absent their, or their parent’s, opt-in);
- The right to have a business delete their personal information, with some exceptions; and
- The right to receive equal service and pricing from a business, even if they exercise their privacy rights under the Act.
What are the Enforcement Rights?
The Act can be enforced by the California Attorney General, subject to a thirty-day cure period. The civil penalty for intentional violations of the Act is up to $7,500 per violation. The Act also provides a private right of action that allows consumers to seek, either individually or as a class, statutory or actual damages and injunctive and other relief, if their sensitive personal information is subject to unauthorized access or disclosure as a result of a business’s failure to implement and maintain required reasonable security procedures and practices. Statutory damages range between $100 and $750 per California resident per incident, or actual damages, whichever is greater.
What is the Potential Impact?
It remains to be seen whether other states will follow California’s lead and adopt similar laws. If a patchwork of state laws evolve with respect to broader privacy rights like those covered by the Act, companies could be forced to navigate different (and potentially conflicting) state privacy requirements in the ordinary course of business.
Grayson J. Derrick
Chair, Technology and Intellectual Property Section