Data breaches and social media hacks are becoming increasingly common stories on the news cycle. Meanwhile, companies have made fortunes on unsuspecting individuals by selling information gathered on the user. Every internet user has wondered why a pop-up ad or banner on an unrelated website relates to something you purchased or searched for "that one time. The California legislature has decided to return some power back to the people with the California Consumer Privacy Act of 2018. California is the first state to introduce privacy protection for individuals personal data and could pave the way for other states to follow suit in the near future.
The California Consumer Privacy Act of 2018
On June 28, 2018, California Governor Jerry Brown signed into law the California Consumer Privacy Act of 2018 ("the Act"). The California Legislature eagerly passed the Act, which comes into effect on January 1, 2020, granting broad new privacy rights to "consumers" and enforcing requirements on the protection of their personal data allowing consumers the right to take back control of their personal information.
A "consumer" is defined as a "resident of California as defined by California's personal income tax regulations. "Personal information" pursuant to the Act is defined as "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." Personal information is generally recognized in California as information that can identify a specific individual. The Act also includes information that can be used to identify a household.
Provisions of the Act
Pursuant to the Act, consumers are given the right to know upon request if their personal information is disclosed, and to whom it is disclosed, the right to know what personal information has been collected about them by a business, the right to object to the sale of their personal information, the right to obtain data collected about them, the right to require businesses to obliterate their personal information, and the right to be given equal service and pricing from businesses, including equal prices and quality of goods or services. The Act forbids discrimination by businesses against consumers for exercising their privacy rights pursuant to the Act.
Businesses are, however, permitted to charge different prices or provide different quality of service to consumers if the difference is "reasonably related to the value provided to the consumer by the consumer’s data." Additionally, businesses must allow consumers to exercise their rights by providing to consumers toll-free telephone numbers and/or websites to request such information or privacy. If a consumer sends a verified request for information to a business, the business subsequently has 45 days to give the consumer the requested information from the preceding 12 months with no charge to the consumer.
Who Must Comply with the Act
The Act will apply to for-profit businesses that do business in the State of California, deal with personal information of California residents, and either·(1) have more than $25 million in annual gross revenues, or (2) receive or disclose more than 50,000 California residents' personal information, or(3) derive 50% or greater of California residents' annual revenues from selling their personal information.
Who is Exempted from Compliance with the Act
A for-profit company, a small company, and/or a company that does not derive large amounts of personal information and does not share a brand with an affiliate covered by the Act is exempted from complying with the Act. Additionally, a company is exempted from compliance with the Act "if every aspect of . . . commercial conduct takes place wholly outside of California," meaning: (1) the personal information was collected from the consumer while they were outside California, (2) no sale of their personal information took place in California, and (3) there was no sale of personal information that was collected while the consumer was in California.
According to 2017 estimates, California's population totaled approximately 39 million people. Clearly the Act will affect an incredibly large amount of people considering it concerns the most populous state in America. The California Consumer Privacy Act of 2018, which is being compared to the EU General Data Protection Regulation for its all-encompassing method and resilient privacy protections is also speculated to have an impact on businesses throughout the nation and around the world. While the costs will likely go up for companies to do business in California, the transparency and trust earned by business and gained by consumers in this new landscape could potential overcome the initial costs to provide these required services. Perhaps most importantly however, is if California consumers decide to take advantage of the new protections, they will no longer have to wonder what for-profit businesses are doing with their data.
Reprinted courtesy of Chapman Glucksman Dean Roeb & Barger attorneys Richard H. Glucksman, David A. Napper and Lana Halavi
Mr. Glucksman may be contacted at firstname.lastname@example.org
Mr. Napper may be contacted at email@example.com