California has enacted the California Consumer Privacy Act of 2018 (AB 375) (the “Act”), which grants California residents a number of rights that, in some ways, reflect those provided under the EU General Data Protection Regulation (“GDPR”). The Act goes into effect on January 1, 2020, giving businesses 18 months to update their privacy notices and change the ways they handle personal information to facilitate honoring the newly created rights for California consumers. Notably, the Act’s passage prompted the backers of a similar ballot initiative to withdraw their proposition from inclusion on the November ballot.
The Act applies to businesses handling California consumer “personal information” (“PI”), which is defined more broadly in the Act than in any other U.S. privacy law – and, in some ways, more broadly than “personal data” under the GDPR – to include information that “is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” However, PI does not include information made publicly available in government records.
The Act creates certain rights for consumers with regard to their PI. Businesses must honor consumers’ verifiable requests to exercise the following rights:
- Right to Know or Right to Be Informed. Businesses must provide the consumer with the specific pieces of PI the business has collected, the categories of PI sources, the business or commercial purpose for collecting or selling PI, and categories of third parties with whom the business shares PI. Businesses must also disclose, upon request, whether they sell PI or disclose it for business purposes and, if so, must make additional disclosures about the categories of information sold and for what purposes.
- Right to Request Deletion. Businesses must delete any PI specified by a consumer, subject to certain exceptions (e.g., to complete a transaction for which the PI was collected, detect security incidents, comply with legal obligations, or in connection with lawful internal uses that are consistent with the consumer’s relationship with the business and the context in which the information was collected).
- Right to Opt Out. Each consumer has the right, at any time, to direct a business that sells his/her PI not to sell the consumer’s PI.
- Right to Opt In. Businesses may not sell the PI of a consumer if they have actual knowledge that the consumer is under 16. However, consumers between ages 13 and 16, and parents or guardians of consumers under 13, may affirmatively authorize the sale of the consumer’s PI.
- Right to Access. Upon receipt of a verifiable request, businesses must provide consumers with access to their PI in a “readily useable format” that “allows the consumer to transmit this information to another entity without hindrance.” Consumers may make this request no more than twice per 12-month period.
Businesses must disclose the existence of these rights in their privacy policies, along with other information, such as the categories of PI they collected from consumers generally in the past 12 months, the purposes for which such PI will be used, and whether the business sold or disclosed the PI for business purposes within the preceding 12 months – and, if it did, the categories of recipients of the sale or disclosure.
Businesses may not discriminate against consumers for exercising their rights, such as by denying goods or services, charging different prices, providing a different level or quality of service, or suggesting that a consumer will receive different prices or service levels based on the consumer’s exercise of his/her rights. However, businesses may charge different rates or provide different levels of quality if the differences are reasonably related to the value provided to the consumer by the consumer’s data.
In addition to the requirements above regarding consumer rights, the Act also:
- Requires providing designated methods for information. Businesses must make available to consumers at least 2 methods for submitting requests for information, including, at a minimum, a toll-free phone number and website (if the business has one).
- Requires providing required information within 45 days. Businesses must disclose and deliver required information to a consumer free of charge within 45 days of receiving a verifiable request.
- Requires businesses to cure violations within 30 days of being notified of a violation.
- Creates a private right of action for California consumers whose information has been breached, if the breach occurred as a result of a business’s failure to maintain reasonable security. The Act permits statutory damages of not less than $100 nor greater than $750 per consumer per incident, or actual damages, whichever is greater. The Attorney General may also bring a civil action, with statutory damages of up to $7,500 per violation for intentional violations.