State Legislative Updates

What California's Consumer Privacy Act Means for Businesses

What California's Consumer Privacy Act Means for Businesses

California’s Governor Jerry Brown has signed Assembly Bill 375, enacting the California Consumer Privacy Act of 2018. This Act, which has an effective date of January 1, 2020, is intended by the Legislature to further Californians’ right to privacy by giving consumers an effective way to control their personal information. It does so by granting California residents a broad range of new rights and by imposing on businesses that collect or sell personal information a variety of new requirements.

What the California Consumer Privacy Act Provides

Among other things the Act provides the following:

  • Grants consumers a right to request a business that collects personal information to disclose (1) the categories and specific pieces of personal information that it collects about the consumer, (2) the categories of sources from which that information is collected, (3) the business purpose for collecting or selling the information, and (4) the categories of third parties with which the information is shared

  • Requires businesses to make disclosures about the information collected and purposes for which it is shared

  • Grants consumers the right to request deletion of personal information and requires businesses to delete that information upon receipt of a verified request

  • Grants consumers a right to request that a business that sells the customer’s personal information disclose (1) the categories of personal information that it collects, (2) the categories of personal information that it sold about the consumer, and (3) the identity of third parties to which the information was sold

  • Requires a business that sells personal information to provide this information in response to a verified consumer request

  • Authorizes a consumer to opt out of the sale of his or her personal information

  • Requires a business that sells personal information to provide a clear and conspicuous link on the home page of its website titled “Do Not Sell My Personal Information” that will link to a web page that will enable consumers to opt out

  • Prohibits businesses from discriminating against a consumer for exercising the opt-out right

  • Authorizes businesses to offer financial incentives for the collection of personal information

  • Prohibits a business from selling the personal information of a consumer under 16 years of age unless otherwise specifically authorized

  • Imposes penalties on businesses for violations of the Act

  • Provides that the Act will be enforced by the state Attorney General

  • Creates a private right of action for consumers in connection with certain unauthorized access and exfiltration, theft, or disclosures of a consumer’s non-encrypted or non-redacted personal information

  • Declares that a waiver of a consumer’s rights under the Act in any contract or agreement is void and unenforceable

Which Businesses Are Affected by the California Consumer Privacy Act?

The businesses to which the Act is applicable include any sole proprietorship, partnership, LLC, corporation, association or other for-profit entity that does business in California that 1) collects consumers’ personal information and that 2) satisfies one or more of the following thresholds:

  • Has annual gross revenues in excess of $25 million
  • Buys, receives, sells, or shares for commercial purposes the personal information of at least 50,000 consumers, households or devices
  • Derives 50% or more of its annual revenues from selling consumers’ personal information

The Act also applies to entities that control or are controlled by a business meeting the above criteria and that share common branding.

The term “consumer” is defined as a natural person who is a California resident.

What Should Affected Businesses Do?

Although the California Consumer Privacy Act does not go into effect until 2020, affected businesses may wish to begin taking the necessary steps to make sure they will be in compliance when 2020 arrives. While this article provides a general overview of the Act, businesses and their legal advisers should consult Assembly Bill 375 and Title 1.81.5 (commencing with Sec. 1798.100) to Part 4, Division 3 of the Civil Code—where the Act will be codified.

 

 

Questions? We can help.

Have a specific question about a product? A CT Specialist will follow up with a custom quote along with a comprehensive assessment of your needs.