The California Consumer Privacy Act, AB No. 375The Governor of Califorina, Jerry Brown signed AB 375 on June 28th, 2018 and takes effect January 1st, 2020.

The California Constitution grants a right of privacy. Existing law provides for the confidentiality of personal information in various contexts and requires a business or person that suffers a breach of security of computerized data that includes personal information, as defined, to disclose that breach, as specified.

AB 375

OVERVIEW

Effective date: January 1, 2020

Applies to covered businesses that meet any of the following:

  1. Annual gross revenues in excess of $25M 
  2. Annually buys, receives for its commercial purposes, sells, or shares for commercial purposes personal information relating to 50K or more consumers, households, or devices; or
  3. Derives 50% or more of annual revenue from selling consumer personal information

 

Consumer is defined broadly and includes employees, customers, vendors and individuals associated with commercial customers who are residents of California

 

Personal information is defined broadly – includes information linked not only to a particular consumer but also households. Also expands information to include:

  1. Purchasing history, browsing history
  2. IP addresses, persistent identifiers that identify a person or device
  3. Consumer profiles
  4. Geolocation data

RIGHTS UNDER THE NEW LAW

Right to receive information about and copies of personal Information. If requested, a business must disclose the actual categories of personal information within the previous 12 months that it has:

  1. Collected
  2. Sold to a third party
  3. Disclosed for a business purpose
  4.  And provide categories of third parties to whom the business sold and disclosed PI for a business purpose

Right to Opt Out. Consumers can opt out of sale of PI (but businesses must obtain affirmative consent to sell PI of certain minors)

Right to be free from discrimination. Businesses are prohibited from charging different prices or deny goods/services to customers that opt out (with certain exceptions) Businesses can offer some financial incentives in connection with the sale, collection and deletion of personal information.

PENALTIES AND ENFORCEMENT

-Private right of action is limited

-Statutory damages between $100-$750 per California resident and incident or actual damages, whichever is greater

-The Attorney General can bring a civil action

-$7500 per intentional violation; for unintentional violations uncured within 30 days notice, $2500

20% of penalties are allocated to a new “Consumer Privacy Fund” to fund enforcement

Companies, activists and associations can be authorized to exercise opt-out rights on behalf of CA residents

EXCEPTIONS TO THE CCPA

-Where compliance interferes with compliance with legal processes

-Where certain information protection is already covered by other state and federal privacy laws such as GLBA 

-Where compliance violates privileges such as ACP

ADDITIONAL GUIDANCE FOR ORGANIZATIONS

Prepare data maps, inventories or other records of all personal information pertaining to California residents, households and devices, as well as information sources, storage locations, usage and recipients, to add newly required disclosures to privacy policies, to prepare for data access, deletion, and portability requests, to secure prior consent for data sharing from parents and minors and to comply with opt-out requests to data sharing.

Consider alternative business models and web/mobile presences, including California-only sites and offerings.

Make available designated methods for submitting data access requests, including, at a minimum, a toll-free telephone number.

Provide a clear and conspicuous “Do Not Sell My Personal Information” link on the business’ Internet homepage.

Fund and implement new systems and processes to comply with the new requirements to:

  • Verify the identity and authorization of persons who make requests for data access, deletion or portability
  • Respond to requests for data access, deletion and portability within 45 days

Avoid requesting opt-in consent for 12 months after a California resident opts out.

Update privacy policies with newly required information, including a description of California residents’ rights.

Determine the age of California residents to avoid charges that the company “willfully disregards the California resident’s age” and implement processes to obtain parental or guardian consent for minors