On June 28, the California legislature passed AB 375, the California Consumer Privacy Act of 2018. The impact of the law reaches far beyond California. Much like the European Union's General Data Protection Regulation (GDPR), which went into effect on May 25, the California Consumer Privacy Act echoes the recent trend of providing a greater degree of control to consumers over their personal information. California's new law is the most rigorous privacy measure in the United States in decades and may trigger other states to follow suit in the future. Businesses collecting personal information from consumers in California should be proactive in reviewing their current procedures and implementing new protocols to ensure compliance with the Act. Given the broad reach of websites, it seems likely that most businesses in the U.S. (and many abroad) have consumer information on a California resident and therefore must comply with the law.
The law protects "consumers" which are defined as California residents or individuals domiciled in California who are outside the state for a "temporary or transitory purpose." A "business" subject to the law is classified as one that does business in California and (a) has gross revenues in excess of $25 million; (b) annually buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices; or (c) derives 50 percent or more of its revenue from selling the personal information of consumers. The law is slated to go into effect on January 1, 2020 and it will take almost as much time for businesses to put together a compliance program.
The key takeaways from the Act include:
- Prior to or at the time of collection, businesses are required to inform consumers the categories of personal information that will be collected and how the personal information will be used;
- Businesses will be required to disclose whether they sell personal information to third parties, including the specific personal information that is sold along with the identity of those third parties;
- Consumers can object to the sale or sharing of their personal information. As part of this directive, businesses will be required to include a conspicuous option on their website where consumers can select "Do Not Sell My Personal Information" in order to opt out;
- Consumers have the right to request a complete record of the personal information collected by businesses and whether that information is shared with third parties;
- Businesses must implement a verification process so consumers can prove their identity when requesting their personal information;
- A consumer has the right to request that a business delete any personal information which the business has collected from the consumer;
- The sale of the personal data of children will require an express opt-in authorization. If the child is between 13 and 16, the child can provide the opt-in. If the child is younger than 13, the parent must provide the opt-in; and
- The law provides for a private right of action for unauthorized access to a consumer's unencrypted or unredacted personal information with a fine of up to $7,500 per violation. It will also be enforced by the California Attorney General.
If you have any questions on the California Consumer Privacy Act and its impact on your organization, please contact Alex Koskey or any member of Baker Donelson's Data Protection, Privacy, and Cybersecurity Team.