California has enacted the California Consumer Privacy Act of 2018, a comprehensive online consumer privacy law which promises to upend the way businesses use consumer personal information. The preamble to the law cited the right to privacy enshrined in California’s Constitution, as well as the revelation earlier this year concerning Cambridge Analytica, where “tens of millions of people had their personal data misused,” as justification for passage of the bill.
The new law grants California consumers the right to access and control their personal data including:
- The right to know what information is being collected about them.
- The right to know whether their information is being sold or disclosed and to whom.
- The right to say no to the sale of personal information.
- The right to access their personal information.
- The right to equal service and price, even if they exercise their privacy rights.
Businesses that are subject to the law will need to take steps to come into compliance before it becomes effective on January 1, 2020. Among other things, businesses will be required to:
- Provide certain notices to consumers prior to collection of personal information about what data is collected and how the data is to be used.
- Put together a process to respond to “verifiable consumer requests” to access and review personal data collected by the business.
- Respond to consumer requests to delete personal information, subject to some exceptions which allow a business to hold onto data despite a request from a consumer for deletion.
- Allow consumers to opt out of the sale or disclosure of their personal information.
- Refrain from selling to third parties personal information of a consumer who has opted out.
- Update their websites to provide a link to a “Do Not Sell My Personal Information“ web page and update its privacy policy with required disclosures.
- Include a disclosure of consumers’ privacy rights in a business’s website privacy policies and update the disclosure annually.
- Include certain terms specified by the statute in their contracts with subcontractors.
In addition, businesses may not discriminate against consumers who have opted out of having their personal information sold or shared, although businesses are allowed to offer consumers certain financial incentives in an attempt to prevent a consumer from opting out of the selling or sharing of personal information.
It took only a week for the new law to go from draft legislation to Governor Jerry Brown’s desk for signature. The law was fast-tracked to avoid a planned ballot initiative with provisions that were considered less desirable by both legislators and the tech industry. If passed, this ballot initiative would have required 70% approval from the Legislature to make any changes to it once it became law and would also have included a private right of action for any infraction.
The new law is enforceable by the California Attorney General and also includes a private right of action with statutory damages for unauthorized access or infiltration, theft or disclosure of unencrypted or unredacted consumer personal information as a result of the business’ failure to employ reasonable security measures.
The bill charges the Attorney General with drafting regulations to assist with its implementation that are informed by “broad public participation.” It is also anticipated that due to the swiftness with which the bill was passed, there will be some corrective amendments to follow.
For more information, please contact Jane Shea, Melissa Kern, Michael Nitardy or any other attorney in Frost Brown Todd’s Privacy and Information Security Law Practice Group.