On June 28, California Governor Jerry Brown signed the California Consumer Privacy Act (the “Consumer Privacy Act” or the “Act”) into law. The Act was enacted largely in response to a more restrictive ballot initiative (“Ballot Initiative”) that appeared to have gained a sufficient number of signatures to appear on the November 2018 ballot in the state. Both the Act and the Ballot Initiative were a reaction to high-profile news stories involving large-scale consumer data collection and sharing by online companies, often done without notice to or consent from consumers.
The Ballot Initiative, driven and funded by a coalition of privacy advocates, proposed both expanding consumer privacy rights under existing state laws such as the California Online Privacy Protection Act and the “Shine the Light” law, and giving new consumer rights with regard to information sharing. The Ballot Initiative, which was withdrawn in response to the enactment of the Act, would have provided state residents with increased rights regarding the types of information online companies possess about them, the purposes for which the information is used, and the entities with which the information is shared. Consumers would also have been given the right to stop certain sharing of their personal information. Critics asserted that the Ballot Initiative was poorly crafted and would stifle innovation in data services. Last minute revisions to the language of the Act, which generally follows the requirements of the Ballot Initiative, sought to address some of these concerns and several industry groups that had opposed the Ballot Initiative did not lobby against the quick passage of the Act.
Requirements of the Act
Businesses subject to the Act are those that do business in California and either (i) have annual gross revenues in excess of $25 million; (ii) deal in the personal information of over 50,000 consumers, households, or devices; or (iii) derive the majority of their annual revenue from selling consumers’ personal information. A subject business’ subsidiary and controlling parent entity must also comply with the Act, and covered entities must be in compliance with the Act by January 1, 2020.
A business must provide a proactive disclosure before or at the point of collection of a California consumer’s personal information. This requirement expands on existing requirements of the California law by requiring businesses to disclose to a requesting California resident the “categories and specific pieces” of personal information that the business has collected about the resident. Specifically, a business will be required to disclose (i) the categories of personal information it has collected about that consumer; (ii) the categories of sources from which the personal information is collected; (iii) the business or commercial purpose for collecting or selling personal information; (iv) the categories of third parties with whom the business shares personal information; and (v) the specific pieces of personal information it has collected about that consumer.
The deadline for delivering such disclosures starts at the point of receiving a verifiable consumer request and ends 45 days later. The time period to provide the required information may be extended once by an 2 additional 45 days when reasonably necessary, as long as the consumer is provided notice of the extension within the first 45-day period. The disclosure must cover the 12-month period preceding the business’s receipt of the verifiable request.
Businesses will also need to provide two or more designated methods for submitting requests for information required to be disclosed, including, at a minimum, a toll-free telephone number, and, if the business maintains an internet website, a website address.
The Act also gives consumers the right to demand in certain circumstances that the business delete any personal information about the consumer which the business has collected from the consumer.
Additionally, under the Act, a California resident may direct a business not to sell the consumer’s personal information. Until the resident has received such notice explicitly and is provided an opportunity to exercise the right to opt out, any “third party” must not sell the resident personal information that has been sold by a subject business. For minors, the personal information sale provisions are stronger, requiring an affirmative opt in to allow businesses to sell a minor’s personal information. If the business has actual knowledge that a consumer is less than 16 years of age, it must not sell the personal information of the minor absent appropriate consent. A consumer between 13 and 16 years of age may give such consent by affirmatively authorizing the sale. For consumers who are less than 13 years of age, only a parent or guardian may provide proper consent by affirmatively authorizing the sale of the consumer’s personal information.
Businesses generally must provide equal service and price to consumers regardless of whether they exercise the new privacy rights outlined in the Act. The Act provides that businesses cannot retaliate against such consumers in any way, including by charging them higher prices.
Enforcement of the Act
The Consumer Privacy Act grants enforcement responsibilities to the California Attorney General, who will also, among other things, (i) propose a method for distribution of proceeds derived from enforcement actions; and (ii) create a Consumer Privacy Fund—which would include the deposit of penalty money—to support the Act’s purposes.
The Act also provides for a “private right of action in connection with certain unauthorized access and exfiltration, theft, or disclosure of a consumer’s nonencrypted or nonredacted personal information.” A private action may be initiated on an individual or class-wide basis, and the Act establishes a process for plaintiffs to follow prior to bringing the action. Plaintiffs may seek compensatory damages, injunctive or declaratory relief, or “any other relief the court deems proper.” Punitive damages are therefore possible under the wording of the Act.
Because the Act carries an effective date of January 1, 2020, there is time for the California Legislature to refine or change aspects of the quickly-enacted law. However, the Act will mandate significant changes to the business practices of online companies collecting or using personal information relating to California residents. Businesses should consider preparing for the Act now, particularly by (i) determining the types of personal information about consumers that is collected or obtained; (ii) determining entities with which that information is shared and how consumer choices about sharing can be honored; and (iii) considering a mechanism for addressing consumer requests under the Act.