This alert was also authored by Victoria Redman, GSB’s 2018 Summer Associate, located in the Seattle office.
On Thursday, June 28, 2018, the California Consumer Privacy Act of 2018 (the Act) passed with resounding support from both Republicans and Democrats, who voted in favor of the bill 73-0-7 in the Assembly and 38-0-3 in the Senate. The Act, which takes effect on January 1, 2020, imposes requirements on the processing and protection of personal data similar to, and in some cases, more extensive than the requirements under the EU General Data Protection Regulation (GDPR), which went into effect on May 25, 2018.
Which types of businesses will be impacted by the Act?
As defined by 18 C.C.R. § 17014, the Act protects “consumers” who are California residents. Additionally, the Act applies to any for-profit business (online or brick & mortar) that operates in the state of California, and either:
- Earns $25 million or more in gross annual revenue,
- Buys/receives/sells/shares, for commercial purposes, personal data of 50,000 or more people/households/devices, or
- Earns 50% or more of their annual revenue from the sale of personal data.
The Act, however, does not impose liability for distributing consumer information where doing so:
- Complies with the law, or any civil, criminal, or regulatory investigation,
- Cooperates with law enforcement agencies,
- Cooperates with public health and consumer reporting agencies,
- Exercises or defends legal claims,
- Uses a de-identified or aggregate consumer information format, or
- Takes place wholly outside of California.
Consumers gain a new set of rights
The Act grants consumers various non-waivable rights, such as new rights (beyond California’s “Shine the Light” law) to know whether, and to whom their personal information is sold or disclosed, as well as what personal information is being collected about them. The Act also gives consumers the right to object to the sale of their personal information, the right to obtain data collected about them in a “portable” format, and the right to require businesses to delete their information. The Act creates further protections for California residents by prohibiting businesses from denying services or charging higher prices to residents who exercise their rights.
In turn, businesses must provide consumers two or more methods to exercise these rights, such as providing a toll-free telephone number and/or a website address to make requests for information or privacy. Upon receiving verified requests for information, businesses have 45 days (up to 90 days when reasonably necessary) to provide the consumer with the requested information from the previous 12 months, free of charge.
Potential penalties and “public participation”
The Act designates the Attorney General as its primary enforcement authority and establishes civil penalties to be assessed for violations (up to $7,500 per violation). The Act also grants consumers a private right of action for certain data breaches, such as those involving unencrypted and unredacted data that are subject to unauthorized access due to failure of the business to implement and maintain reasonable security procedures appropriate to the information. Damages awarded are no less than $100 and not greater than $750 per consumer per incident, or actual damages, whichever is greater.
Finally, since the Act represents a significant departure from prior state data privacy laws, and continues to be a bit of a work in progress, the Act directs the Attorney General to “solicit broad public participation” in developing regulations to implement the Act and, as part of that process, to develop specific rules and procedures dealing with opt-out and other provisions within one year of the date of enactment.
If you have any questions, please feel free to contact Scott Warner at firstname.lastname@example.org or at 206.816.1319.