California Enacts Strict Privacy Law

Last week, California Governor Jerry Brown signed into law AB 375, the so-called California Consumer Privacy Act of 2018. The Act was passed in order to defeat a stricter privacy-focused initiative set to appear on the November ballot, which we wrote about in May. The group behind that initiative withdrew it upon passage of the Act.

The Act takes effect in January 2020 and includes some features of the GDPR. Under the Act, California consumers will have the right to request that a business that collects a consumer’s personal information disclose to the consumer the categories and specific pieces of personal information the business has collected. This includes disclosure of the categories of sources from which the personal information is collected, the business or commercial purpose for collecting or selling personal information, and the categories of third parties with whom the business shares personal information. A consumer also has the right to request that a business delete any personal information about the consumer which the business has collected from the consumer. The business must comply with the deletion request unless one of the listed exceptions applies.

Consumers also have the right to request information from a business that sells the consumer’s personal information or that discloses it for a business purpose. Consumers may also direct a business not to sell the consumer’s personal information, referred to as the right to “opt out.” Significantly, businesses must give notice to consumers that their information may be sold and that consumers have a right to opt out. Businesses cannot discriminate against a consumer because they opt out or exercise any of their other rights under the Act.

Assuming the notice requirements in the Act do not change between now and January 2020, businesses will be required to provide “a clear and conspicuous link on the business’ Internet homepage, titled ‘Do Not Sell My Personal Information,’ to an Internet Web page that enables a consumer or a person authorized by the consumer, to opt out of the sale of the consumer’s personal information.” A link to the “Do Not Sell My Personal Information” page, along with a description of a consumer’s opt out rights, must also be included in online privacy policy or policies.

The Act defines “personal information” broadly to include commercial information, Internet browsing and search history, identifiers such as Internet Protocol address, and professional or employment-related information. However, personal information specifically does not include publicly available information, meaning “information that is lawfully made available from federal, state, or local government records.” “Publicly available” does not include biometric information collected by a business without a consumer’s knowledge, or consumer information that is deidentified or aggregate consumer information.

The Act gives consumers the right to bring civil actions for statutory or actual damages or injunctive relief against businesses that violate its provisions. If the action is purely for statutory damages and the consumer has not suffered actual pecuniary damages as a result of a violation, the consumer must first provide the offending business with 30 days’ written notice identifying the specific provisions of the Act the consumer alleges have been or are being violated. If the business is able to cure the violation and provides written notice that no further violations shall occur, then the consumer cannot bring an action for statutory damages.

While the Act only applies to California consumers, businesses may find it easier to implement its requirements across all of their U.S. operations. In addition, other states may follow suit and pass similar privacy laws.

Follow Tracking Data for updates to the Act between now and when it takes effect, as well as information about what steps companies doing business in California must take to ensure compliance.

One thought on “California Enacts Strict Privacy Law

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s