Last week, California Governor Jerry Brown signed into law AB 375, the so-called California Consumer Privacy Act of 2018. The Act was passed in order to defeat a stricter privacy-focused initiative set to appear on the November ballot, which we wrote about in May. The group behind that initiative withdrew it upon passage of the Act.
The Act takes effect in January 2020 and includes some features of the GDPR. Under the Act, California consumers will have the right to request that a business that collects a consumer’s personal information disclose to the consumer the categories and specific pieces of personal information the business has collected. This includes disclosure of the categories of sources from which the personal information is collected, the business or commercial purpose for collecting or selling personal information, and the categories of third parties with whom the business shares personal information. A consumer also has the right to request that a business delete any personal information about the consumer which the business has collected from the consumer. The business must comply with the deletion request unless one of the listed exceptions applies.
Consumers also have the right to request information from a business that sells the consumer’s personal information or that discloses it for a business purpose. Consumers may also direct a business not to sell the consumer’s personal information, referred to as the right to “opt out.” Significantly, businesses must give notice to consumers that their information may be sold and that consumers have a right to opt out. Businesses cannot discriminate against a consumer because they opt out or exercise any of their other rights under the Act.
The Act defines “personal information” broadly to include commercial information, Internet browsing and search history, identifiers such as Internet Protocol address, and professional or employment-related information. However, personal information specifically does not include publicly available information, meaning “information that is lawfully made available from federal, state, or local government records.” “Publicly available” does not include biometric information collected by a business without a consumer’s knowledge, or consumer information that is deidentified or aggregate consumer information.
The Act gives consumers the right to bring civil actions for statutory or actual damages or injunctive relief against businesses that violate its provisions. If the action is purely for statutory damages and the consumer has not suffered actual pecuniary damages as a result of a violation, the consumer must first provide the offending business with 30 days’ written notice identifying the specific provisions of the Act the consumer alleges have been or are being violated. If the business is able to cure the violation and provides written notice that no further violations shall occur, then the consumer cannot bring an action for statutory damages.
While the Act only applies to California consumers, businesses may find it easier to implement its requirements across all of their U.S. operations. In addition, other states may follow suit and pass similar privacy laws.
Follow Tracking Data for updates to the Act between now and when it takes effect, as well as information about what steps companies doing business in California must take to ensure compliance.