knowledge | 9 August 2018 |
California Consumer Privacy Act of 2018 – Not Quite GDPR, But Almost!
On 28 June 2018, the California State Legislature passed the California Consumer Privacy Act of 2018 (the “Act”). The Act will become operative from 1 January 2020 and will (unless amended or repealed in the intervening time) introduce data privacy protections and requirements similar to, and in some cases broader, than those in relation to the personal data of citizens of the European Union (“EU”) under the General Data Protection Regulation (“GDPR”), in respect of “…natural person[s] who [are] California resident[s]…” (“Californian Consumers”).
The Act was quickly prepared and passed by the California legislature to avoid a potentially more restrictive citizens’ initiative being put to a ballot in November 2018. Had this citizen’s initiative passed by popular vote, it could only have been amended by a super-majority of 70% in both houses of the California legislature, or through a further citizen’s ballot.
Reflecting the urgency with which it was drafted, the Act does not repeal or amend any of California’s current laws on privacy or data protection, even where the new provisions are inconsistent with already existing law. Instead the Act provides that “… in the event of a conflict between other laws and the provisions of this title, the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control…”
The law applies to for profit businesses that receive personal information relating to Californian Consumers, do business in California and either:
(a) Have annual gross revenue of $25 million or more;
(b) Collect, sell or share for commercial purposes the personal information of at least 50,000 Californian Consumers, households or devices; or
(c) Derive at least 50% of its annual revenues from selling Californian Consumers’ personal information.
The Act further applies to the parent or subsidiary of any company who meets the above criteria and shares common branding with that company, regardless of whether the parent or subsidiary does business in California.
Companies with no physical presence or affiliate in California may be able to avoid complying with the statute, if they can demonstrate that their commercial conduct takes place “…wholly outside of California."1
Definition of Personal Information
The Act defines personal information as meaning “… information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This is extremely broad and seems likely to be similar to the EU concept of personal data.
The Act introduces a number of new rights for Californian Consumers:
(a) Right of Disclosure: Californian Consumers will have the right to request that businesses disclose what personal information is being collected about them, how the consumer’s personal information was sold or disclosed, and the categories of third parties with whom the business shares personal information.
(b) Right of Access: The Act requires businesses, in response to a valid request, to provide Californian Consumers with the personal information collected by the business, in a format that allows the information to be easily transmitted to another entity.
(c) Right to Deletion: The Act also gives Californian Consumers the right to request that their personal information be deleted by a business that holds it. Such a request can only be refused on specific grounds.
(d) Right to Opt-Out of Sale of Data: Californian Consumers will have the right not to have their personal information sold by businesses unless they have received both notice of the sale and an opportunity to opt-out.
(e) Protection from Discrimination due to Exercise of Rights: The Act prohibits discriminatory action by businesses towards Californian Consumers who elect to exercise their privacy rights.
Requirements for Businesses
The Act also imposes a number of new requirements on businesses related to personal information:
(b) Provide Obvious Opt-Out Option: Businesses must add a clear and conspicuous link on their homepage entitled “Do Not Sell My Personal Information,” which takes Californian Consumers to an opt-out tool that prevents their personal information from being sold or disclosed to third parties for non-business purposes.
(c) Respond to Consumer Disclosure Requests: Businesses must provide disclosures requested by a Californian Consumer within 45 days of the consumer’s request (no more than twice per year), and provided that they are able to “reasonably verify” the identity of the requesting consumer.
(d) Determine Consumer Age: Businesses must determine the age of Californian Consumers and implement processes to obtain the correct consents for data sharing. Affirmative consent from the consumer is required in the case of minors between 13 and 16 years of age, while parental or guardian consent is required for minors under 13 years of age.
(e) Provide Methods for Consumers to Request Disclosures: Businesses must provide at least two methods for Californian Consumers to submit requests for information disclosures, including, at a minimum, a toll-free telephone number and a website address (if the business maintains a website).
Sanctions and remedies
If enforced by California’s Attorney General, the Act provides for a civil penalty of up to $2,500 for each violation (once a 30 day period to rectify the violation has elapsed), or up to a $7,500 civil penalty for each intentional violation of the Act.
If the Attorney General declines to prosecute the violation in question, the Act creates a right for Californian Consumers to bring civil actions where personal information is compromised in a data breach due to a failure to implement reasonable security measures. Plaintiffs are entitled to recover damages of between $100 and $750 per consumer per incident, or actual damages if greater.
Differences between the California Consumer Privacy Act and the GDPR
Many businesses worldwide have undertaken significant privacy compliance efforts in the past year in response to the application of the GDPR from 25 May 2018. Such companies may have hoped that these measures would have addressed most if not all of their privacy compliance efforts for the foreseeable future. However, for businesses that will be in scope of the Act, they can expect to be subject to similar but not entirely overlapping obligations in connection with their processing of personal information of Californian Consumers. Businesses should check if the Act is likely to apply to them and, if so, review their handling of personal information to determine whether it will satisfy the requirements of the Act.
Also Contributed by Sadhbh O'Sullivan.
- The information was collected while the individual was outside of California, no part of the sale of such information took place in California and no information collected while the individual is in California is sold.
This briefing is for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.