AB 375 is the result of a compromise between the Democrats in the California legislature and consumer privacy advocates led by real-estate mogul Alistair Mactaggart. Mactaggart and his organization, Californians for Consumer Privacy (CCP), sponsored a sweeping ballot initiative aimed at giving consumers the right to know what personal information is collected about them and to whom this information is sold. It also provides the right to prevent businesses from selling or disclosing consumers’ personal information. In exchange for withdrawing the ballot initiative, Assemblyman Ed Chau (D-Arcadia) introduced AB 375 to enact the California Consumer Privacy Act of 2018. Governor Jerry Brown signed the bill into law on June 28, 2018. The law goes into effect January 1, 2020.
What entities are covered?
Entities (and their agents) are subject to the law if they are doing business in California that collects consumers’ personal information and determine its use, as well as the methods of processing such information, and meet one of the following thresholds:
- Have gross revenues in excess of $25,000,000; or
- Buys, shares, or sells the personal information of 50,000 or more consumers, households, or devices for commercial purposes; or
- Earns 50% or more of its annual revenues from selling consumer personal information.
Reading the above, its clear which companies are in the California Consumer Privacy Act’s crosshairs: the “FANG”s of the business world. (Facebook, Amazon, Netflix, Google).
What is consumer personal information?
Under the California Consumer Privacy Act, “personal information” is broadly defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The Act gives some examples of personal information, but notes that this is not an exhaustive list: identifiers, such as names, addresses, email, account name, social security number, and commercial information, such as records of personal property and products or services purchased.
What are employers’ obligations under the California Consumer Privacy Act?
Covered business will have new compliance obligations under the Act, including:
- Disclosing, after request from a consumer, the types of personal information collected, the sources of collection, the business purposes for collecting or selling the information, as well as any third parties with whom the information is shared;
- Delete, after request from a consumer, the consumer’s personal information;
- Refrain from selling the personal information of a consumer who opts out of the sale, and refrain from discriminating against a consumer who exercises the right to opt out;
- Refrain from selling the personal information of a consumer under 16 years old, unless specifically authorized to do so;
- Maintain reasonable security measures to protect consumer data.
In order to effectuate the responsibilities outlined above, a covered business must provide at least two mechanisms for receiving consumer requests. At minimum, this must be a toll-free number and a website address. The consumer personal information must be provided within 45 days after receipt of a consumer request. This may be extended by an additional 45 days, as long as the consumer is given notice within the initial 45-day period. The disclosure covers a 12-month window.
What are the pain points for noncompliance?
Failure to Maintain Reasonable Security Measures for Protecting Consumer Data
The California Consumer Privacy Act provides a private right of action if certain conditions are met. In a nod to privacy advocates, the Act punishes covered businesses for the failure to maintain reasonable security measure to protect consumer data. A consumer whose information is stolen or exfiltrated may sue the covered business and recover damages of $100 to $750 for each incident; injunctive relief; or any other relief a court finds proper.
In a concession to businesses, the conditions are lengthy. First, a consumer wishing to sue under the Act must give 30-days’ written notice to a business the consumer believes has violated the Act. Within the 30-day period, a business can cure a violation without incurring any liability. Next, if the business fails to cure, the consumer must then notify the Attorney General of the alleged violation. The Attorney General must then notify the consumer within an additional 30-day period of its intent to prosecute. If the Attorney General refrains from responding to the consumer within 30 days, the consumer may proceed in court against the covered business. Alternatively, if the Attorney General notifies the consumer of its intent to prosecute, but fails to do so for 6 months, the consumer may sue the covered business.
Failure to Disclose Consumer Information
Civil Penalties of up to $7,500 for each violation.
The bottom Line:
If your business is covered by the California Consumer Privacy Act, you should consult with counsel to begin implementing practices and procedures for fielding consumer request regarding their personal information. You should also review your security protocols for maintaining consumer personal information.
If your business is not covered by the Act, it is still wise to pay attention to the Act’s rollout in 2020. Consumer privacy is an international topic of concern, with the European Union’s General Data Protection Regulation (GDPR)
being a prime example of ongoing efforts to regulate consumer privacy issues.