The deadline for business to implement compliance with the California Consumer Privacy Act is just around the corner and chances are most businesses are not ready.
On June 28, 2018, Governor Brown signed into law the California Consumer Privacy Act of 2018. The Act applies to any business which does business in California, and i) has annual gross revenues in excess of $25 million; ii) buys, receives, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices; or iii) earns more than half of its annual revenue from selling consumers’ personal information.
The purpose of the Act is to provide California residents with significant new rights related to their personal information. The Act provides:
- That California residents have the right to know the type of personal information being collected about them, to know whether such information is being sold or disclosed to any third parties and the identification of such third parties;
- That California residents have the right to prohibit the sale of their personal information;
- That California residents have the right to access their personal information and may request a business delete any or all of their personal information; and
- That California residents may not be discriminated against for exercising these rights.
The Act defines “personal information” broadly to include any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Examples of personal information include identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license or state identification number and a passport number. Personal information also includes an insurance policy number, employment history, a bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Characteristics of protected classifications under California or federal law (e.g., race, religion, age, etc.) are considered personal information as is biometric information. Additionally, commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies; internet or other electronic network activity information, including, browsing history, search history, and information regarding a consumer’s interaction with an Internet Website, application, or advertisement; geolocation data; audio, electronic, visual, thermal, olfactory, or similar information is considered personal information under the Act, as is any inferences drawn from any of the above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. Personal information does not include information that is publicly available or “aggregate consumer information,” which is data that is “not linked or reasonably linkable to any consumer or household.”
The Act does not delineate personal information based on the means of collection or the consumer’s relationship with the business. Accordingly, the Act applies to personal information collected in both digital and non-digital means, and covers not only business customers but employees, contractors, vendors, etc.
If a business collects personal information, the business must, at or before the point of collection of the personal information, provide two methods, one of which must be a toll-free number and a website address (if the company maintains a website), for consumers to submit requests to be provided with a wide variety of information, including the categories of personal information the business has collected about that consumer, the business propose for collecting such information and the third parties with whom the business shares such personal information. Such requests must be responded to, generally, within 45 days.
Compliance with the Act will be enforced by the Attorney General of California through substantial civil penalties. The Act also provides remedies where a California consumer’s personal information is accessed or disclosed due to a data security breach where such breach is due to the failure to “implement and maintain reasonable security procedures.” The Act provides for statutory damages and allows such claims to be made on a class-wide basis.