California Adopts Strictest Consumer Privacy & Data Protection Law in the Nation
July 9, 2018 | by Jonathan Marashlian
California Gov. Jerry Brown recently signed into law the California Consumer Privacy Act of 2018 (CCPA). The CCPA is the nation’s strictest consumer privacy and data protection measure, becoming effective January 1, 2020.
The CCPA applies to any for-profit entity doing business in California that:
- collects consumers’ personal information solely or jointly with others, and
- either (i) exceeds $25 million in annual gross revenues; (ii) annually transacts in the personal information of 50,000 or more consumers, households or devices; or (iii) derives half or more of its annual revenues from personal information sales.
The law covers large amounts of non-public information and is more expansive than existing state law. Under the CCPA, personal information includes items such as IP address, commercial information, biometrics, Internet activity, geo-location data, employment-related information, education information, and “inferences” drawn from any such information to create a profile reflecting consumer characteristics.
The CCPA will require covered businesses to observe an assortment of consumer rights and related notices that, in certain respects, resembles those recently codified in the European Union via its General Data Protection Regulation (GDPR). The CCPA’s new rights include:
- Right of Access. Consumers may request disclosure of the specific personal information that a business has collected about the consumer.
- Right of Deletion. Consumers may request that a business delete any personal information it has collected from the consumer and direct any service providers to do the same, subject to several exceptions, such as when personal information is needed to complete requested transactions or services.
- Right to Know. Consumers may request disclosure of the categories and specific pieces of personal information collected about them, the sources from which the PI was collected, the purpose for such collection, and the categories of third parties the personal information is shared with or sold to.
- Right to Opt Out or Opt In. Consumers may opt out of any sale of their personal information to third parties, and consumers under age 16 must opt in to any such sales.
- Right of Equal Service. Covered businesses must not discriminate against consumers exercising any of the above rights, including through pricing and quality of goods or services, unless different treatment is reasonably related to the value provided to the consumer by his or her data.
Violations of the law can result in Attorney General investigation and enforcement under California’s Unfair Competition Law. But the real teeth in the CCPA is the private right of action and statutory penalties of up to $7,500 per violation. When transacting in thousands, even millions of bits of personal information, companies subject to the CCPA are at great risk of incurring painful consequences.
The CCPA also provides a limited private right of action for data breaches, defined as any instance in which un-encrypted personal information is subject to unauthorized access or otherwise disclosed as a result of a violation of the business’s duty to observe reasonable security procedures and practices.