The California Consumer Privacy Act, AB No. 375 -The Governor of Califorina, Jerry Brown signed AB 375 on June 28th, 2018 and takes effect January 1st, 2020.

The California Constitution grants a right of privacy. Existing law provides for the confidentiality of personal information in various contexts and requires a business or person that suffers a breach of security of computerized data that includes personal information, as defined, to disclose that breach, as specified.

AB 375

OVERVIEW

Effective date: January 1, 2020

The new law applies to businesses that collect information from California residents and meet at least one of the following thresholds: 

  1. Annual gross revenues in excess of $25M 
  2. Annually buys, receives for its commercial purposes, sells, or shares for commercial purposes personal information relating to 50K or more consumers, households, or devices; or
  3. Derives 50% or more of annual revenue from selling consumer personal information

Consumer is defined broadly and includes employees, customers, vendors and individuals associated with commercial customers who are residents of California

Personal information is defined broadly – includes information linked not only to a particular consumer but also households. Also expands information to include:

  1. Purchasing history, browsing history
  2. IP addresses, persistent identifiers that identify a person or device
  3. Consumer profiles
  4. Geolocation data

RIGHTS UNDER THE NEW LAW

  1. The right to know, through a general privacy policy and with more specifics available upon request, what personal information a business has collected about them, where it was sourced from, what it is being used for, whether it is being disclosed or sold, and to whom it is being disclosed or sold;
  2. The right to “opt out” of allowing a business to sell their personal information to third parties (or, for consumers who are under 16 years old, the right not to have their personal information sold absent their, or their parent’s, opt-in);
  3. The right to have a business delete their personal information, with some exceptions; and
  4. The right to receive equal service and pricing from a business, even if they exercise their privacy rights under the Act.

PENALTIES AND ENFORCEMENT

-Private right of action is limited

-Statutory damages between $100-$750 per California resident and incident or actual damages, whichever is greater

-The Attorney General can bring a civil action

-$7500 per intentional violation; for unintentional violations uncured within 30 days notice, $2500

20% of penalties are allocated to a new “Consumer Privacy Fund” to fund enforcement

Companies, activists and associations can be authorized to exercise opt-out rights on behalf of CA residents

EXCEPTIONS TO THE CCPA

-Where compliance interferes with compliance with legal processes

-Where certain information protection is already covered by other state and federal privacy laws such as GLBA 

-Where compliance violates privileges such as ACP

ADDITIONAL GUIDANCE FOR ORGANIZATIONS

Prepare data maps, inventories or other records of all personal information pertaining to California residents, households and devices, as well as information sources, storage locations, usage and recipients, to add newly required disclosures to privacy policies, to prepare for data access, deletion, and portability requests, to secure prior consent for data sharing from parents and minors and to comply with opt-out requests to data sharing.

Consider alternative business models and web/mobile presences, including California-only sites and offerings.

Make available designated methods for submitting data access requests, including, at a minimum, a toll-free telephone number.

Provide a clear and conspicuous “Do Not Sell My Personal Information” link on the business’ Internet homepage.

Fund and implement new systems and processes to comply with the new requirements to:

  • Verify the identity and authorization of persons who make requests for data access, deletion or portability
  • Respond to requests for data access, deletion and portability within 45 days

Avoid requesting opt-in consent for 12 months after a California resident opts out.

Update privacy policies with newly required information, including a description of California residents’ rights.

Determine the age of California residents to avoid charges that the company “willfully disregards the California resident’s age” and implement processes to obtain parental or guardian consent for minors

Advertisements