On June 28, the Governor of California signed the California Consumer Privacy Act of 2018. The Act becomes effective on January 1, 2020. It includes some of the novel aspects of the EU’s General Data Privacy Regulation (GDPR), such as the right to be forgotten. But it raises the ante.
Under the Act, a business that traffics in data that includes personal information about California residents must, upon request of the resident, disclose:
- The categories of personal information that it has collected
- The categories of sources from which the personal information is collected
- The business purpose for collecting the information
- The categories of third parties with which it shares the information
- The specific information about the resident that it has collected
The resident may at any time direct the business to cease selling information about him or her. Businesses that sell such information must inform the consumers about this right to opt out, including by means of a clear and conspicuous link on the home page of its website labeled “Do Not Sell My Personal Information.” Businesses may not discriminate against consumers who exercise their rights under the Act.
“Personal information” is defined broadly to include any information that is capable of being associated with a consumer, including online identifier, IP address, account name, email address, biometric information, geolocation data and employment-related information. Personal information generally does not include information that is lawfully made available from government records.
The Act does not pertain to businesses that have gross revenues less than $25 million and that neither
- Sell nor share personal information about 50,000 or more consumers or internet-connected devices; nor
- Derive 50% or more of its annual revenue from selling consumer’s personal information.
The Act is quite detailed, so a careful review of its language is necessary for those who collect or trade in personal information about California residents. As experience with the GDPR has already taught, it is good to plan in advance to achieve compliance when the Act takes effect.