California Passes Groundbreaking New Privacy Law

July 3, 2018

By Sten-Erik Hoidal

Security CityOn June 28, 2018, riding a wave of concern over individual privacy, California enacted a sweeping new privacy law that will have significant implications for companies across the country. California lawmakers swiftly passed the California Consumer Privacy Act of 2018 (the Act) in order to avoid an even more stringent privacy initiative from making it on to the statewide ballot for a vote on November 6, 2018.

The Act applies to businesses that collect personal information about California consumers and affords those consumers significant new rights. For those companies who spent the past two years preparing for the E.U.’s General Data Protection Regulation, some of the Act’s provisions will seem familiar. Companies, however, will only have 18 months to comply with the Act. Here is a summary the Act’s major provisions.

Applicability

The Act applies to for-profit businesses doing business in California that collect “personal information” about “consumers” (e.g., California residents, or on whose behalf such information is collected) that either: 

  • have gross revenue in excess of $25 million,
  • receive, buy, sell or share personal information on at least 50,000 consumers, households or devices, or
  • derive at least 50 percent of its revenue from selling consumers’ personal information.

Personal Information

The Act defines personal information very broadly to include any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Right to Prohibit Sale of Personal Information

Consumers have the right to direct a business not to sell their personal information. Businesses that sell personal information are required to provide notice to consumers that their information may be sold and that they have the right to opt out of the sales. The businesses must also include a link on their website titled “Do Not Sell My Personal Information” that will allow consumers to opt out of the sale of their information.

Right to Erasure

Consumers have the right to request that businesses delete any personal information collected about them. In response, businesses must delete the personal information they hold and must require that any service providers with whom they have shared the information do the same. This erasure obligation is subject to numerous exceptions (e.g., retaining the information is necessary to provide a good or service requested by the employee, detect security incidents, comply with a legal obligation, etc.).

Right to Request Information

Upon request by a consumer, businesses are required to disclose certain information, including:

  • the categories and specific pieces of information the business has collected on the consumer,
  • the sources from which personal information is collected,
  • the business purpose for collecting the information, and
  • the types of third parties with whom the business shares personal information.

Further, consumers may request that a business that sells or shares their personal information identify the categories of personal information sold or shared and the types of third parties to whom they were sold or shared. These disclosures must cover the 12-month period prior to the request and generally must be provided within 45 days. When reasonably necessary, this period may be extended for another 45 days by providing notice to the consumer within the original time period.

Right to Notification

Businesses must include specific information on their website privacy policy, including a description of consumers’ rights under the Act, the method for submitting requests for information and the categories of personal information collected about consumers.

Prohibition on Discrimination

In certain situations, business are prohibited from denying goods or services, charging different prices or rates, or providing different quality services to consumers who have exercised their rights under the Act.

Limited Private Right of Action

The Act only authorizes consumers to bring suit for certain breaches or personal information that is not encrypted or redacted, which result from the business’s failure to implement and maintain “reasonable security procedures and practices.”

The Act is not set to take effect until January 1, 2020, and may still be revised by the California Legislature. Nevertheless, it is the most far-reaching, detailed and consumer-focused privacy law in the United States. Given California’s enormous economic footprint—it has the fifth largest economy in the world—the reverberations from this Act will be felt far outside the Golden State. Look for further updates and analysis from us on the Act in the coming weeks.