California’s Sweeping Consumer Privacy Act—There Will Be More Opportunities To Weigh In Before the Law Becomes Effective in 2020
On June 28, California Governor Jerry Brown signed into law the California Consumer Privacy Act, a rigorous privacy law modeled, in part, on Europe’s General Data Protection Regulation (GDPR). The law was fast-tracked through the state legislature in order to avoid a ballot initiative that would have put this issue to the voters. As such, California lawmakers have indicated that there may be some “clean-up” to do prior to the law’s effective date, which is currently set as January 1, 2020.
As it stands, the law will have a sweeping effect on businesses nationwide, as it imposes obligations and restrictions on businesses that collect personal information about California residents if the business (1) meets a certain threshold (e.g., has an annual gross of over $25 million; buys, receives for a business’ commercial purposes, sells, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices on an annual basis; or derives at least 50 percent of its annual revenues from selling consumers’ personal information) and (2) does business in the state of California. Personal information is broadly defined to include “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household,” including but not limited to:
- “Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers;”
- “Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;”
- “Biometric information;”
- “Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement;”
- “Geolocation data;”
- “Audio, electronic, visual, thermal, olfactory, or similar information;”
- “Professional or employment-related information;” and
- “Education information.”
The law extends to “[i]nferences drawn [from the above] information . . . to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, references, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”
It creates several rights for California residents, including:
- Rights to request disclosures, including the right to request that a business disclose to the consumer “the categories and specific pieces of personal information the business has collected;” the right to request that a business disclose various information such as “the categories of third parties with whom the business shares personal information” and “the business or commercial purpose for collecting or selling personal information;” and the right to request certain information if a business sells the consumer’s personal information.
- The right to request deletion of personal information collected about the consumer.
- An opt-out right, which can be exercised at any time and which affords a consumer the ability “to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information.”
- An opt-in right for consumers under 16, which prohibits a company from selling personal information about consumers under 16 unless the consumer (in the case of consumers between 13 and 16) or the consumer’s parent or guardian (in the case of consumers under 13) have “affirmatively authorized the sale.”
The California Consumer Privacy Act also prohibits a company from discriminating against consumers who exercise their privacy rights under the law. The law makes clear that it does not “prohibit a business from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the consumer by the consumer’s data,” and that a business may offer consumers financial incentives for the collection of personal information, so long as the financial incentive practices are not “unjust, unreasonable, coercive, or usurious.” The law also dictates that any contract that waives any of these statutory rights are void and unenforceable.
The statute is enforceable by consumers via a private right of action, which allows consumers to initiate lawsuits against businesses for actual or statutory damages. The law establishes several processes that a consumer must go through in order to bring suit, including notice to the business and an opportunity to cure, and notice to the Attorney General, who has the ability to prosecute the violation, allow the consumer to bring suit, or prevent the consumer from bringing suit. Specifically, the new law creates a private right of action in the case of a security breach. Consumers whose nonencrypted or nonredacted personal information is the subject of a breach—defined as “an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the person information”—may sue for various relief, including injunctive or declaratory relief, or up to $750 in statutory damages (or actual damages) per consumer per incident. If this private right of action becomes effective in 2020, it will very likely be the source of high-dollar class action litigation.
In addition to the “cleanup” legislation that is expected between now and the effective date in 2020, the law also gives the Attorney General the authority to solicit broad public participation to engage in rulemaking. Accordingly, there will be more opportunities for affected parties to weigh in.