On June 28, California passed into law the California Consumer Privacy Act of 2018, which becomes operative on Jan. 1, 2020. As with the EU’s General Data Protection Regulation, the Privacy Act gives consumers greater control over the use and sharing of their personal information.
The Privacy Act allows a consumer to request that a business disclose:
- the categories and specific pieces of personal information that it collects about the consumer;
- the categories of sources from which that information is collected;
- the business purposes for collecting or selling the information;
- the categories of third parties with which the information is shared; and
- the specific pieces of personal information it has collected about the consumer.
A consumer may request similar information with respect to personal information that a business sells to third parties, and a consumer may instruct a business not to sell her or his personal information. Such businesses must include a link on their homepage titled “Do Not Sell My Personal Information.”
A consumer may also request deletion of any of her or his personal information the business has collected. However, a business is not required to comply with a deletion request under certain circumstances including, but not limited to, when the personal information is necessary to:
- complete the transaction for which the personal information was collected;
- enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business;
- comply with a legal obligation; and
- use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.
Additionally, the Privacy Act is specifically inapplicable in a number of instances, including with respect to information that is deidentified or aggregated, information to or from a consumer reporting agency pursuant to the Fair Credit Reporting Act, information disclosed pursuant to the Gramm-Leach-Bliley Act, and information disclosed pursuant to the Driver’s Privacy Protection Act of 1994.
The Privacy Act provides consumers a private right of action in the event of the theft or disclosure of nonencrypted or nonredacted personal information resulting from a failure to maintain reasonable security measures. The Privacy Act allows for injunctive relief and damages of $100 to $750 per consumer per incident or actual damages, whichever is greater. Prior to initiating an individual or class action, a consumer must provide the 30 days’ notice to the business to cure the violation.
A business may seek the opinion of the Attorney General on how to comply with the provisions of the Privacy Act. Violations may result in civil penalties of up to $2,500 per violation pursuant to Cal. Bus. & Prof. Code § 17206, or up to $7,500 per violation for intentional violations.