The sweeping, GDPR-like California Consumer Privacy Act provides Californians enhanced control over personal information. It does so by ensuring that they know what personal information is being collected about them, whether it is disseminated to third-parties and who those third-parties are, to refuse to permit dissemination of their personal information and access it at any time.
Under the Act, “personal information” is defined broadly to include “any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Examples include personally identifiable information, IP address, browsing information, and biometric and geolocation data. Importantly, the definition also includes inferences drawn from these sources.
The Act applies to businesses that collects, transfers or sell personal information of a California consumer; and either have annual gross revenue in excess of $25 million, or purchases, receives, sells or shares the personal information of 50,000 or more “consumer, households or devices,” or derives 50% or more of its annual revenues from selling consumers’ personal information.
Before collecting Californian’s personal data, businesses must make various disclosures in their privacy policies. First, “the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.” Next, the categories of personal information it has collected, sold or disclosed. Lastly, a description of the consumer’s rights under the Act, including how to request information regarding what has been collected, opt-out rights and how to request deletion of data.
Two or more methods for consumers, including a toll-free number and website, must be provided to consumers to exercise these rights. It must also disclose, without limitation, categories of information collected and third-parties to whom information is shared with, the sources from which personal information was collected and the purposes therefor, free of charge, within 45 days of a verified request.
Covered entities must provide a clear and conspicuously link on their homepage titled, “Do Not Sell My Personal Information.” It must link to a web page that provides consumers with the ability to opt-out of the dissemination of their personal information.
The Act also prohibits businesses from discriminating against a consumer because the consumer exercised any of the consumer’s rights. Financial incentives for the use of their data on an opt-in basis are not considered a violation of the Act.
The opt-out regime does not apply to minors.
Consult with a Federal Trade Commission attorney to consider the creation of separate data collection vehicles for Californians, outline the data collected, analyze how it is utilized and disseminated, and implement procedures for responding to information requests.
The Act will be enforced by the California Attorney General. The AG can impose up to $7,500 per intentional violation and $2,500 for an unintentional violation that is not cured within thirty days of notice. There is a limited private right of action, following a notice and cure procedure, for specifically defined cybersecurity violations.
The Act is set to go effect on January 1, 2020. However, efforts to narrow the scope of the bill continue. Given the uncertainty and complicated nature of the Act, big tech has been pushing for a federal privacy bill.