As we reported in our July 3 Newsletter, on June 28, 2018, Governor Jerry Brown of California signed into law the California Consumer Privacy Act of 2018 (the “Act”). The ratification of the bill represented the culmination of a dramatic showdown between Californians for Consumer Privacy, a campaign for a ballot initiative to impose stricter data privacy rules on large corporations, and a coalition of large corporations, including Google, Comcast, and AT&T, in opposition (Verizon and Facebook, originally members of the opposition group as well, pulled out of the coalition in the spring). With June 28 serving as the deadline to withdraw a ballot measure for the November election, Californians for Consumer Privacy agreed to withdraw the ballot initiative in exchange for the ratification of the new law. Opponents of the legislation in the tech industry ultimately supported passage of the bill because legislation will be easier to amend in the future than a successful ballot initiative.
The Act will go into effect on January 1, 2020, and will create substantial new rights for consumers, defined as California residents, and responsibilities for businesses. Not all businesses will be subject to the provisions of the Act. The Act essentially applies to any for-profit entity that collects consumer personal information, does business in California, and satisfies one or more of the following thresholds: a) has annual gross revenues in excess of $25 million; b) buys, sells, or shares the personal information of 50,000 or more consumers, households, or devices annually; or c) derives 50 percent or more of its annual revenues from selling consumers’ personal information. The Act also applies to any entity that i) controls or is controlled by a business that is subject to the Act and ii) shares common branding with that business.
Among the new rights for consumers and responsibilities for businesses under the Act are the following:
- Consumers will have the right to disclosure of their personal information that a business has collected;
- Consumers will have the right to request that a business delete their personal information that the business has collected;
Consumers will have the right to request that a business not sell their personal information;
The Act imposes new limitations on the sale of personal information of consumers under the age of 16; and
The Act creates anti-discrimination protections for consumers who exercise any of their rights under the Act.
The Right to Disclosure of Personal Information
The Act gives consumers the right to disclosure of the categories and specific pieces of their personal information collected by a business. This disclosure must be free of charge, and steps must be taken promptly to disclose and deliver. Specifically, the disclosure must be made within 45 days, or within 90 days if the business informs the consumer within 45 days that it is exercising its right under the Act to a 45-day extension and gives the reasons for the delay.
Further, the disclosure must be in a portable and readily useable format that would allow the consumer to transmit it to another entity without hindrance, to the extent technically feasible.
A business may provide personal information to a consumer at any time, but is not required to provide personal information to a consumer more than twice in a 12-month period. If a consumer’s request is manifestly unfounded or excessive, the business may either charge a reasonable fee, taking into account administrative costs, or refuse to act on the request and notify the consumer of the reason for the refusal. If the business does not take action on the request of a consumer, the business must inform the consumer without delay. The business bears the burden of demonstrating that a consumer request is manifestly unfounded or excessive. Businesses are not required to retain personal information that is collected for a single, one-time transaction and not sold or retained.
The Right to Request Deletion of Personal Information
The Act gives consumers the right to request deletion of their personal information that a business has collected. The Act requires businesses to disclose to consumers that they have the right to request deletion. A business that receives a request to delete personal information must both delete the personal information from its records and direct any service providers to delete the consumer’s personal information from their records.
The business or service provider is not required to comply with the deletion request if the personal information is necessary for the business or service provider to perform certain acts, such as: a) completing the transaction for which the personal information was collected; b) detecting and prosecuting deceptive, fraudulent, or illegal activity; c) debugging to identify and repair errors that impair existing intended functionality; d) exercising free speech, or another right, or ensuring the right of another consumer to exercise free speech; e) complying with a legal obligation; f) complying with the California Electronic Communications Privacy Act; g) engaging in certain research in the public interest that adheres to all other applicable ethics and privacy laws; or h) using the personal information for certain internal uses within the business that are compatible with the consumer’s business relationship with the business or the context in which the consumer provided the personal information.
The Right to Request that a Business Not Sell Personal Information
The Act gives consumers the right, at any time, to direct a business that sells their personal information to third parties to refrain from doing so. This is referred to as the “right to opt out.” A business that sells consumers’ personal information to third parties must provide notice to consumers that the information may be sold and that consumers have the right to opt out. A business that receives a request not to sell the consumer’s personal information must refrain from doing so unless the consumer subsequently provides express authorization for the sale of the consumer’s personal information.
Limitations on the Sale of Personal Information of Consumers Under the Age of 16
The Act requires that a business not sell the personal information of minor consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless a consumer between 13 and 16 years of age, or the parent of a consumer less than 13 years of age, has affirmatively authorized the sale of the consumer’s personal information. This is referred to as the “right to opt in.” A business that willfully disregards the consumer’s age will be deemed to have actual knowledge.
Anti-Discrimination Protections for Consumers Who Exercise Rights Under the Act
The Act prohibits businesses from discriminating against a consumer because the consumer exercised any of their rights under the Act. Such prohibited discriminatory actions include: a) denying goods or services to the consumer; b) charging different prices or rates for goods or services, including through the use of discounts or penalties; c) providing a different level of quality of goods or services; or d) suggesting that the consumer will receive a different price or level of quality of goods or services.
The Act does provide an exception to this rule in the event that the business charges a consumer a different price or provides a different level of quality of goods or services and the difference is reasonably related to the value provided to the consumer by the consumer’s data. Further, a business may offer financial incentives, including payments to consumers as compensation, for the collection, sale, or deletion of personal information. A business may offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by the consumer’s data. A business that offers financial incentives must notify consumers of the incentives available. A business may only enter a consumer into a financial incentive program if the consumer gives prior opt-in consent, which clearly describes the material terms of the financial incentive program and may be revoked by the consumer at any time.
What to Expect Going Forward
In light of the new responsibilities that the Act imposes, businesses will have to undertake steps in the next seventeen months to install the necessary procedures and systems to ensure that they will be prepared, starting January 1, 2020, to respond to consumer requests regarding their personal information pursuant to the Act. Importantly, the Act provides a private right of action for consumers to recover damages in an amount between $100 and $750 per consumer per incident, or actual damages, whichever is greater, as well as injunctive relief.
Prior to initiating an action against a business for statutory damages, whether on an individual or class-wide basis, a consumer must provide the business 30 days’ written notice identifying the provisions of the Act being violated. The consumer’s lawsuit will not be permitted if the business cures the violation within 30 days and provides the consumer an express written statement that the violations have been cured and no further violations shall occur. If the business continues to violate the Act in breach of the express written statement, the consumer may initiate an action to enforce the written statement and may pursue statutory damages for breach of the express written statement, as well as any other violations that postdate the written statement. No notice is required for an individual consumer initiating an action solely for actual pecuniary damages suffered as a result of violations of the Act.
A consumer bringing an action must notify the Attorney General that an action has been filed within 30 days of doing so. Upon receipt, the Attorney General shall do one of the following: a) notify the consumer that the Attorney General intends to prosecute an action against the violation, with the consumer permitted to proceed with the action if the Attorney General does not prosecute within 6 months; b) refrain from acting within the 30 days, allowing the consumer to proceed; or c) notify the consumer bringing the action that the consumer shall not proceed.
Under the Act, businesses may seek the opinion of the Attorney General for guidance as to how to comply with the provisions of the Act. A business that violates the Act and fails to cure within 30 days after notification will be liable for a civil penalty in an amount up to $7,500, which will be assessed and recovered via a civil action commenced by the Attorney General.
With more than a year to go before the Act takes effect and the legislation leaving the door open for amendments, businesses should stay tuned to further developments concerning the Act. In the meantime, businesses should begin to evaluate the internal systems and procedures that they already have in place and determine the steps they will need to take to be able to comply with the Act when it goes into effect.