Skip to main content
Legal Alert

California Passes the California Consumer Privacy Act of 2018

California Passes the California Consumer Privacy Act of 2018

California has enacted a sweeping tough new privacy law. Dubbed the California Consumer Privacy Act of 2018, it provides that beginning on January 1, 2020, consumers will have the right to request, not more than twice in a 12-month period, that a business disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared. Consumers will have the right to request deletion of personal information. Consumers may request that a business that sells the consumer’s personal information or discloses it for a business purpose, disclose the categories of information that it collects and the identity of 3rd parties to which the information was sold or disclosed. Consumers may opt out of the sale of his or her personal information, and a business may not discriminate against the consumer for exercising this right, including by charging the consumer a different price or providing a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data. Businesses may offer financial incentives for the collection of personal information. Also a business may not sell the personal information of a consumer under 16 years of age, unless affirmatively authorized by opting in.

Personal information includes standard categories like people’s names, email addresses and Social Security numbers. It also covers unique personal identifiers: IP addresses; biometric information; geolocation data; shopping, browsing and search histories; and consumer profiles that are based on inferences from personal information, but does not include certain publicly available information from government sources.

Companies that store tracking cookies on people’s devices will need to give people an option to ask the company to delete the information collected through those cookies and will also need to ensure that those cookies and any corresponding information aren’t exposed in a data breach to avoid making the company subject to a class-action lawsuit. Any personal information that is “de-identified or in the aggregate consumer information” (i.e. the personal information that is not associated with any consumer), is arguably exempt from the law. A business that has disassociated the information will nonetheless still need to ensure that the disassociation cannot be undone or that the data is reconnected to the individual. Because almost all information can be connected to an individual one way or another, most businesses would be wise to assume that there is no exemption.

Businesses should be aware of the law’s requirements for receiving, processing, and satisfying these requests from consumers. The Attorney General has the right to enforce the law with civil penalties up to $7,500 per violation and to adopt regulations to further the statute’s purposes. Private parties may enforce the law in connection with certain unauthorized access and exfiltration, theft, or disclosure of a consumer’s nonencrypted or nonredacted personal information, and may recover damages of $100-$750 per violation.

The law does not prevent companies from collecting people’s information or give people an option to ask a company to stop collecting their information, differentiating it from the strong EU privacy act known as the GDPR, which came into force May 1, 2018. The new law also does not apply to personal information regulated by the federal Gramm-Leach-Bliley Act or the Driver’s Privacy Protection Act of 1994.

While the law only applies to a for-profit entity that collects personal information, does business in California, and which satisfies one or more of the following thresholds set forth below, the law's requirements will likely become the gold standard for all businesses collecting personal information:

  1. annual gross revenues in excess of $25,000,000;
  2. possesses the personal information of 50,000 or more consumers, households or devices; or
  3. earns more than half of its annual revenue from selling consumers personal information.

Businesses should assess their data collection and breach policies well in advance of the January 1, 2020 deadline in order to be fully compliant when the law goes into effect.

For More Information, Please Contact:

Jonathan Storper
Jonathan Storper
Partner
San Francisco, CA

Receive legal alerts, case analysis, and event invitations.

Join our mailing list