California Passes Landmark Consumer Privacy Law: What You Need to Know Now
By Procopio Associate Nicholas Kawuka
In a significant action that imposes new privacy obligations on California companies while forestalling possibly more onerous requirements from a citizen ballot initiative, on June 28, 2018, the California legislature unanimously passed and Governor Jerry Brown signed into law the California Consumer Privacy Act. When it becomes effective, this amendment to the California Civil Code will make sweeping changes to California’s privacy laws, impacting a number of companies who do business across the Golden State.
The changes include giving consumers the right to know the contents of their personal information that is collected by businesses, the right to know whether such information is sold or disclosed, and the right to access a copy of the collected personal information. The law also gives consumers the right to say no to the sale or disclosure of their personal information.
Most importantly, the new law requires businesses to treat consumers fairly and equally in terms of services and pricing, even when those consumers exercise the rights protected under the law. Fairness in pricing means a business must charge equal prices to consumers even if they, for example, ask that a party not sell their information. Businesses are allowed, however, to incentivize consumers monetarily to make their personal information available.
Currently, California’s privacy regulations do not give consumers significant control over their personal information. While existing law provides consumers with remedies when they have suffered injury from a data breach or other unauthorized disclosure of their personal information, consumers will now have proactive control over the collection and use of their personal information.
Here’s what you need to know about how these changes may impact your business, and some steps to take to avoid running afoul of the new law.
1. Who is Affected?
The new law applies to any business that operates in California that deals with consumers' personal information and meets any one or more of the following classifications: (1) has a gross revenue of at least twenty-five million dollars ($25,000,000); (2) buys, receives, sells, or shares for economic gain the personal information of 50,000 or more consumers, households, or devices; or (3) generates fifty percent (50%) of its revenue from dealing in consumer’s personal information.
2. What Personal Information Is Protected?
The law classifies a wide range of information that identifies, relates to, describes, or is capable of being used to identify a consumer or household as personal information. In additional to the classic identifiers such as names, addresses or social security numbers, the law specifically includes: geolocation data; audio, electronic, visual, thermal, or similar information; and any “inferences” from other information that can be used to create a profile of a consumer as personal information. Information that does not fit the description of “personal information” includes that which is lawfully made available from federal, state or local government records. Notably, publicly available information does not include biometric information that is collected about a consumer without the consumer’s knowledge. Moreover, before its effective date, the Attorney General may seek public participation and adopt regulations updating the definition of personal information depending on changes in technology, data collection practices, identified obstacles to enforcement, and privacy concerns.
3. Rights That Are Guaranteed Under the New Law
The law gives Californians significant control over their personal information. It guarantees: (1) the right to know what personal information is collected; (2) the right to know whether such information is being disclosed to any third party or whether it is being sold; (3) the right to deletion of personal information* collected or stored by any business; (4) the right to opt-in or opt-out of the sale of personal information; and (5) the right to fair and equal treatment and service by a business even where a Californian exercises rights of privacy under the new law.
4. Who Can Assert the Consumer’s Privacy Rights?
Like other consumer protection laws in California, the state’s Attorney General can enforce the law against any business that does not comply. Consumers can also directly assert their rights by contacting businesses or filing a complaint against noncompliant business if they suffer actual damages. Consumers may also sue businesses even when they have not suffered actual damages if they appropriately follow the procedure of notifying both the Attorney General and the violating business, and the business fails to cure the violation or violates a written statement stating that it will not violate the law any further. The law also allows consumers to authorize third parties to act on their behalf in opting-out of the sale of personal information.
5. What Is Your Exposure?
Consumers can individually sue a business based on actual money damages suffered when the business violates the law. But unlike many current privacy and data breach laws, the California Consumer Privacy Act does not require consumers to prove that they suffered actual damages. Subject to the requirements of notifying the business and the Attorney General, consumers may seek damages ranging between one hundred dollars ($100) and seven hundred and fifty dollars ($750) per consumer incident. While the law does not specifically define what a consumer incident is, context suggests that an incident may be any “unauthorized access and exfiltration, theft, or disclosure” of a consumer’s personal information. In addition to individual actions, consumers may institute class actions after following proper procedures under the law.
6. What Next?
By passing the California Consumer Privacy Act, the California legislature was able to avert what many considered to be an even more restrictive change to privacy law in the form of a November ballot initiative. The authors of the ballot initiative will now withdraw their proposed measure, allowing California to begin the process of enacting the new legislation.
The countdown has started. The law comes into effect on January 1, 2020. While that is more than a year away, the tough provisions of the law require early changes to business practices, as well as to policies and procedures to ensure readiness and compliance by January 1, 2020. For example, for businesses that operate on the Internet and sell or disclose personal information for economic gain, the law requires a clear and conspicuous link on the business’ homepage titled “Do Not Sell My Personal Information.” Based on all of the above, if you own or operate a business that collects any personal information, we encourage you to contact our Privacy and Data Security team to discuss your exposure to the new legislation. Time is of the essence.
* This is similar to the “right to be forgotten” under the European Union’s General Data Protection’s Regulation (“GDPR”).
Nicholas Kawuka is an Associate in Procopio's Privacy and Data Security practice group. He advises clients in intellectual property counseling and litigation, trade secrets, and trademarks and copyrights. Nicholas’s practice focuses on a variety of technologies including chemical, manufacturing, software application, digital signal processing and electronic circuit fields. He also has experience in commercial litigation involving breach of contract, fraud and unfair business practices, breach of fiduciary duty, misappropriation of trade secrets and financial trade institutions.