California Enacts Broad New Data Protection Law

California recently passed the California Consumer Privacy Act of 2018, effective January 1, 2020, which will impose new obligations on businesses with regards to the collection, use, and sale of consumers’ personal information.

The provisions of the Act will apply to for-profit businesses that collect consumers’ personal information and satisfy one or more of the following thresholds: (1) has annual gross revenues in excess of $25 million; (2) annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or (3) derives 50 percent or more of its annual revenues from selling consumers’ personal information.

The term “consumer” is defined under the Act to mean residents of California, and the Act does not apply to commercial conduct that takes place wholly outside of California. Commercial conduct takes place wholly outside of California if: (1) the business collected that information while the consumer was outside of California; (2) no part of the sale of the consumer’s personal information occurred in California; and (3) no personal information collected while the consumer was in California is sold.  The Act also does not cover information that is otherwise publicly available.

Broadly speaking and subject to certain exceptions, the Act gives consumers four basic rights with respect to their personal information:

• Disclosure. Consumers have the right to request that a business disclose: the pieces of personal information it collects; the sources from which the information is collected; the business purpose for collecting and selling the information; and the 3rd parties with which the information is shared.
• Opt out. Consumers have the right to opt out of allowing a business to sell their personal information.
• Deletion. Consumers have the right to demand that businesses delete their personal information.
• Equal pricing. Businesses are prohibited from discriminating against consumers who exercise these rights, including by charging such consumers a different price or providing a different quality of goods or services, except if the difference is reasonably related to value provided by the consumers’ data.

To facilitate compliance with these disclosure obligations, businesses must make available to consumers different methods for submitting requests for information, and must respond within 45 days of receiving a verifiable request from the consumer (free of charge).

With regards to the right to opt out, businesses must provide a clear and conspicuous link on the business’ Internet homepage, titled “Do Not Sell My Personal Information,” that enables a consumer to opt out of the sale of the consumer’s personal information.

Additionally, businesses that collect personal information from consumers must disclose the consumer’s right to request the deletion of the consumer’s personal information.  A business that receives a verifiable request from a consumer to delete the consumer’s personal information must delete the consumer’s personal information from its records and direct any service providers to delete the consumer’s personal information from their records.  Note that there are several exceptions to this requirement, including if it is necessary for the business or service provider to maintain the consumer’s personal information in order to complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.  There is also an exception when the information is necessary to detect security incidents, or protect against malicious, deceptive, fraudulent, or illegal activity.

Enforcement of the Act is two-fold.  First, the California Attorney General may impose civil penalties of up $7,500 per violation for intentional violations (with lower penalties for unintentional violations).  Additionally, the Act creates a private right of action for any consumer whose non-encrypted or non-redacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of a business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.

The bill is available here.