The Skinny on California Consumer Privacy Act
By Angela Polania
The California Consumer Privacy Act (https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375) gives “consumers” (defined as natural persons who are California residents) basic rights in relation to their personal information. The Act is 24 pages and easy to read if you are interested.
The following is a summary of what law makers intend for the new California Consumer Privacy Act to be:
Consumers have the right to:
- Know what personal information is being collected about them.
- Know whether their personal information is sold or disclosed and to whom.
- Say no to the sale of personal information to third parties ( or, for consumers who are under 16 years old, the right not to have their personal information sold absent their, or their parents’, opt-in);
- Access their personal information.
- Equal service and price, even if they exercise their privacy rights.
Business groups, like the California Chamber of Commerce, amongst others are already lobbying to remove what counter groups, such as Electronic Frontier Foundation (EFF) consider as weakening, the key provisions to protect the rights of California citizens.
- Disclose to a requesting consumer the categories and specific pieces of personal information the business has collected. There is lobbying already taking place to keep it as broad categories rather than specific pieces of personal data.
- At or before the point of data collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.
- Disclose and deliver, for free, personal information as requested by consumers. Businesses are not required to provide personal information to a consumer more than twice in a 12-month period.
- Retain any personal information collected for a single, one-time transaction, if the information is not sold or retained by the business.
- Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.
- Provide an easy way for consumers to opt out. (e.g. clear and conspicuous link “do not sell my personal information”.
Businesses should have toll-free numbers, privacy notices, opt-in and opt-out mechanisms, data access, data deletion, and data portability.
Businesses may be liable for a civil penalty of up to seven thousand five hundred dollars ($7,500) for each violation. It is not clear if each instance or each record applies here.
A ‘business’ is defined as sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
- Has annual gross revenues in excess of $25,000,000
- Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
Other states are firming up their privacy policies including Georgia and Alabama. Federal regulation is unlikely in the near future, but the compliance burden keeps increasing when each state or nation state government develops and/or improves data privacy regulations. Certainly, just keeping track of breach notification requirements can be interesting.
Thank you for taking the time to read this article.