Client Alert: California Enacts the California Consumer Privacy Act
Yesterday, California enacted the California Consumer Privacy Act of 2018. The law imposes new regulations on the collection, use, and disclosure of consumers’ personal information that will significantly impact companies doing business in California. Fortunately, companies have until January 1, 2020 to comply with these new regulations.
The law creates new privacy rights for California consumers, including:
- The right for consumers to know what personal information is being collected;
- The right to know whether their personal information is being sold or disclosed;
- The right to prevent the sale of one’s personal information;
- The right to access one’s personal information; and
- The right to enjoy equal service and price even if one exercise’s his or her privacy rights.
Under the law, businesses will have to inform consumers of the categories of personal information being collected and the purposes for which that information is collected before its collection. Thereafter, consumers may request that the business disclose: (1) the categories of personal information it has collected about the consumer, (2) the sources from which that information is collected, (3) the business purpose for collecting or selling the personal information, (4) the third parties with whom the business shares personal information, and (5) the specific pieces of personal information it collects. Upon a verifiable request from a consumer, businesses will also have to provide the categories and specific pieces of personal information the business has collected on that consumer. The business will also be obligated to delete a consumer’s personal information upon request in certain circumstances.
Businesses will also have to take additional steps whenever selling or sharing consumers’ personal information with third parties. The law permits consumers to opt out of the sale or sharing of their personal information to a third party in certain circumstances and restricts the sale of personal information of consumers under the age of 16. To facilitate this regulation, businesses will have to include conspicuous “Do Not Sell My Personal Information” links on their websites. The law also prohibits businesses from varying the price or quality of goods or services to a consumer who exercises his or her privacy rights, unless the difference in quality or price is related to the value provided to the consumer by the consumer’s data, such as an ad-free streaming service.
Finally, the law creates a private right of action for consumers’ claims arising from the unauthorized access and exfiltration, theft, or disclosure of unencrypted and nonredacted personal information. The law provides statutory damages that are the greater of: (a) between $100 and $750 per consumer per incident, or (b) actual damages.
The law was unanimously approved by both houses of the California Legislature and signed by Governor Jerry Brown contingent upon the withdrawal of a popular ballot initiative. The ballot initiative would have imposed tougher privacy restrictions and would also have required a 70% supermajority by both legislative chambers to amend its language. By approving this new law, California’s legislative branch retains the flexibility to amend it through a simple majority in each chamber.
For questions about this new privacy law, please contact John Landolfi, Chris Ingram, or your Vorys attorney.