Note: The California Consumer Privacy Act ballot initiative discussed in this post was withdrawn from the November ballot on June 28, 2018, after the California legislature passed a bill, AB 375, of the same title. Learn more about the bill here.
A consumer privacy ballot initiative that would create new rights for consumers and affirmative obligations for businesses that collect, sell, and/or disclose consumers’ personal information is likely to appear on California ballots in November. The California Consumer Privacy Act of 2018 (the “Act”) gives California consumers the right to request what personal information a business has collected, sold, or disclosed about them, and to whom, and the right to opt out of the sale of their personal information. Additionally, the Act prevents businesses from denying, changing, or charging more for goods or services if a California consumer pursues his or her rights under the Act, and creates liability for businesses that experience a security breach if such businesses have not implemented “reasonable” security measures. The Act attaches potentially steep penalties.
The Act creates three primary rights for California consumers:
- Under the Act, a California consumer has the right to request that a business disclose categories of personal information it has collected about that consumer. Notably, the Act contains an expansive definition of “personal information,” including categories such as biometric information; browsing history; information regarding a consumer’s interaction with a website, app, or advertisement; and any inferences drawn from information about a consumer.
- A California consumer would have the right to request categories of personal information a business has either sold about the consumer or disclosed about the consumer for a business purpose (i.e., disclosures to service providers), and the identities of the entities to whom such personal information was disclosed. A “sale” under the Act does not include a consumer: 1) intentionally disclosing personal information, or 2) intentionally interacting with a third party. A consumer does not intentionally interact with a third party by closing a given piece of content. A “business purpose” is defined broadly under the Act to include operational purposes such as security monitoring, customer service, and payment processing.
- The Act gives California consumers the right to direct a business not to sell the consumer’s personal information. A business may not request that a consumer re-authorize such sale for at least 12 months after receiving such direction.
The Act also imposes affirmative obligations on businesses:
- Businesses must provide certain types of information related to the collection, sale, or disclosure of consumers’ personal information, upon the request of a consumer. Businesses must provide a toll-free telephone number and website address allowing consumers to submit requests for information.
- Furthermore, the Act requires businesses that engage in the sale of consumers’ personal information to provide a clear and conspicuous link on the business’s homepage titled “Do Not Sell My Personal Information.” That link must direct consumers to a web page enabling that consumer to opt out of the sale of personal information.
- Finally, businesses must include specified information in an online privacy policy or California-specific notice of consumers’ privacy rights, including: 1) a description of consumers’ rights under the Act and methods for submitting requests; 2) categories of personal information the business has collected about consumers in the preceding 12-month period; and 3) categories of personal information the business has sold or disclosed about consumers in the preceding 12-month period.
In addition to enforcement by the Attorney General or a district attorney, who may seek civil penalties of up to $7,500 per violation, the Act contains a private right of action for consumers. Any violation of the Act is deemed an injury in fact to the consumer, without proof of harm – economic or otherwise. Aggrieved consumers would be entitled to recover statutory damages in the amount of $1,000 per violation or actual damages, and up to $3,000 per violation for knowing and willful violations of the Act. These same penalties also apply to businesses that suffer security breaches in the event the business failed to implement and maintain reasonable security procedures and practices.
The Act, which is intended to supplement existing laws including the California Online Privacy Protection Act and the California Shine the Light Act, has the potential to materially affect virtually all businesses – both online and brick-and-mortar – with operations in California. Businesses will need to be prepared to 1) respond to user data requests both through operational means and personnel training, 2) quickly halt the sale of user data upon request, and 3) implement user notices and updated privacy policies. Should the Act pass in November, it will only apply to personal information collected or sold by a business on or after a grace period of 9 months from the effective date, which would be the day after the election at which the Act is adopted.