On June 28, 2018, the California State Legislature passed, and Governor Jerry Brown signed, the California Consumer Privacy Act of 2018, bringing to the United States many of the rights and compliance obligations currently being applied by the European Union through its General Data Protection Regulation (GDPR). Effective January 1, 2020, the Act gives California residents broad rights to discover what personal information businesses collect, the purposes for collecting the data, whether the data are disclosed or sold to third parties, and the right to opt out from the sale of their personal information.
The passage of the Act was a compromise between the legislature and the proponents of a ballot initiative that was set to be voted upon by California residents during elections this November. Due to the challenges of changing laws passed through California’s direct ballot initiative – which would require a separate ballot initiative – the legislature worked quickly to cobble together the Act in exchange for an agreement by proponents to withdraw the ballot initiative. Given the rushed legislative process and the delayed effective date, it seems likely that more changes to the laws will take place in the next 18 months to clarify the Act’s requirements.
The Act applies to companies that do business in California and which meet any of the following three criteria: (1) annual gross revenue in excess of $25 million; (2) annual purchases, receipt or sales of the personal information of 50,000 or more California residents; or (3) companies that derive 50% or more of annual revenue from selling consumers’ personal information.
Below is a summary of the key takeaways from the Act, as passed:
- Broad definition of personal information
The Act defines “personal information” extremely broadly to include the following categories of non-public information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household…”:
- Identifiers, such as name, address, IP address, email, Social Security number, etc.;
- Characteristics of protected classifications, such as race, religion, sexual orientation, etc.;
- Commercial information, such as records of purchases, consuming tendencies, etc.;
- Biometric information;
- Internet or other electronic network activity, such as browsing or search history, website interaction, etc.;
- Geolocation data;
- Professional or employment-related info; and
- Education data.
This definition goes well beyond the definitions of personal information under other privacy laws in the United States.
- GDPR-esque rights of California residents to their data
Business and legal practitioners dealing with the implementation of GDPR over the past months will find familiar several of the rights granted to California residents with respect to their personal information, including:
- Right to request information from businesses about the personal data collected, including the sources of the information, the purpose for collecting, and whether the data were disclosed or sold to third parties;
- Right to request that a business delete personal information, including a requirement that this request be passed down to the business’ vendors;
- Right to data portability, meaning that businesses are obligated to produce data in a portable format that would allow the consumer to transmit information to another entity; and
- Right to refuse to permit businesses to sell personal data.
The consumer’s right to refuse to permit the sale of their personal data presents a significantly more lax approach than under GDPR. Rather than requiring affirmative consent for collecting, processing and storing personal data (i.e., requiring an opt in), the Act gives consumers only the right to opt out of the sale of personal information. This right does not extend to the disclosure (as opposed to sale) of personal information to third parties. Additionally, the Act retreats from the more aggressive provisions in the original ballot initiative by permitting, under certain circumstances, businesses to offer financial incentives to consumers in exchange for permitting the sale of their personal information. Note that for consumers under the age of 16, affirmative consent (opt in) is required for the sale of personal information.
- Private right of action for data breaches
In addition to enforcement by the California Attorney General’s office, the Act creates a private right of action by California residents in connection with data breaches resulting in the “exfiltration, theft, or disclosure” of non-encrypted or non-redacted personal information and providing for statutory damages of $100 to $750 per incident. Prior to bringing suit, consumers would have to provide the business with 30 days advance written notice and an opportunity to cure.
While it seems unlikely that the Act is a finished product, California’s passage of sweeping data privacy legislation is a strong indicator that more stringent data privacy laws at the state (and possibly federal) level are coming to the United States. Whether due to a need to comply with GDPR or in anticipation of new U.S. laws, businesses will need to continue making review of their data privacy practices a priority.