On June 29th, the State of California enacted the California Consumer Privacy Act of 2018,a sweeping new law that imposes a host of new regulations on the collection, use, and disclosure of consumers’ personal information. The stated purpose of the law is to protect the privacy of California residents by ensuring the following rights:
- The right to know what personal information is being collected about them;
- The right to access that information;
- The right to know whether that information is being sold or disclosed;
- The right to prevent such a sale; and
- The right to enjoy equal service and price even if one exercise’s his or her privacy rights.
Once the law goes into effect, before collecting any personal information from California residents, affected businesses must inform them of the categories of personal information being collected and the purposes for which that information is collected. Afterwards, California residents may request that a business disclose: (1) the sources from which their information was collected; (2) the purpose behind collecting it; (3) who the information will be sold to or shared with; and (4) the specific elements of information were collected. The business must also delete a consumer’s personal information upon request in certain circumstances.
Who is Affected?
The new law primarily affects for-profit businesses that collect use, or share personal information of California residents and that meet one or more of the following criteria: (1) have annual gross revenues greater than $25,000,000; (2) buy, receive, sell, or share personal information of 50,000 or more consumers annually; or (3) derive 50%or more of its annual revenues from selling consumers’ personal information. The law does not apply to protected health information regulated by California’s Confidentiality of Medical Information Act or by HIPAA’s privacy rules, but it does apply to the other personal information held by an organization that meets the criteria above and doing business in California.
Businesses that sell consumer information will also have to take additional steps to ensure compliance, as the law permits California residents to restrict or prohibit the sale of their information under certain circumstances. Under the law such businesses must post conspicuous “Do Not Sell My Personal Information” links on their websites.
Finally, the law creates a private right of action for consumers’ claims arising from the unauthorized access and exfiltration, theft, or disclosure of unencrypted and nonredacted personal information, with statutory damages ranging between $100 and $750 per consumer per incident or actual damages, whichever is higher.
The new law go into effect on January 1, 2020.