I. INTRODUCTION
The state of California has enacted the California Consumer Privacy Act of 2018, which became effective on January 1, 2020. Intended to provide greater protection for consumer data of California residents gathered by businesses, it represents the most comprehensive data privacy law enacted to date in the United States.
The Act requires businesses to implement policies providing consumers the right to (a) know what type of personal information is collected; (b) opt-out of the sale of personal information to third parties; and (c) request that a business delete personal information that it has collected.
II. APPLICABILITY
The California Consumer Privacy Act applies to any business that:
III. definitions
Consumer – A natural person who is a California resident (any individual who is in California for other than a temporary or transitory purpose); or domiciled in California, but outside of California for a temporary or transitory purpose. Consumer is not limited to “customers,” but also includes employees, individuals associated with commercial customers, vendors and business partners, independent contractors, and visitors to company premises.
Personal Information (PI) – Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked with a particular consumer or household (e.g., commercial information, including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies; internet or other electronic network activity information, including browsing and search histories; education information; and audio, electronic, visual, thermal, olfactory, or similar information). Includes information identified in eleven enumerated categories, including:
IV. INDIVIDUAL RIGHTS
Individuals “protected” by the California Consumer Privacy Act have the following rights:
A. Right to Know
Under the Act, consumers have the right to know what type of information is being collected about them and for what purpose. Businesses subject to the Act that collect PI must disclose to consumers, at or prior to the time of collection, the categories of PI to be collected and the reasons for collecting such information.
B. Request for Personal Information
Consumers may also request records of PI that have been collected by the business. Businesses receiving such a request must disclose (a) the type of PI collected; (b) the sources from which PI is collected; (c) the purposes for collecting PI; (d) the third parties with whom the business shares the personal information; and (e) the specific pieces of information that the business has collected. Businesses must respond to a records request within 45 days. Consumers are limited to receiving records from a business no more than two times per year and businesses are only obligated to respond to a consumer request if it is verifiable (subject to verification that the person making the request for records is, in fact, the subject of such records). The Act requires businesses to provide two separate methods for consumers to submit requests related to their PI, such as a toll-free telephone number or a website that accepts consumer requests.
C. Right to Opt-Out
Consumers are also granted the right to opt-out of the sale of their personal information to a third party under the Act. Businesses that engage in the sale of personal information must inform consumers that they sell information and must notify consumers that they have a right to opt out under the act. Consumers under the age of 16 are required to “opt-in,” since consumers between ages 13 and 16 must affirmatively consent to the sale of their information. In the case of consumers under 13 years of age, the consumer’s parent or guardian must provide consent.
D. Right to Request Deletion
Consumers are granted the right to request that personal information collected by a business be deleted. Businesses need not delete information necessary to consummate a transaction with a consumer, detect or report security incidents or illegal activity, or comply with legal obligations.
V. GRAMM-LEACH-BLILEY ACT EXCEPTION
The California Consumer Privacy Act does not apply to personal information collected, processed, sold, or disclosed, pursuant to the Gramm-Leach-Bliley Act and implementing regulations.
VI. Private right of action
A consumer can sue if:
A. Available Relief
VII. Attorney General Enforcement
Civil penalties provided under the Act must be exclusively assessed and recovered in a civil action brought by the California Attorney General. The California Attorney General may not bring an enforcement action until six months after the publication of final regulations implementing the Act, or July 1, 2020, whichever is sooner.
Businesses in violation of the Act “if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance. Businesses that violate the Act are subject to the issuance of an injunction and civil penalties from $2500 for each violation and $7500 for each intentional violation.