Wave of “GDPR like” Data Privacy Legislation continues with California’s Sweeping New Data Privacy Law

Written by: Richard Sheinis, Esq.

On June 28, 2018 California legislators enacted the California Consumer Privacy Act of 2018, granting new protections for consumers’ online data. The law does not take effect until January 1, 2020. It can still be amended by the California Legislature prior to that date, but don’t expect too much to change in this legislation clearly aimed at tech giants like Facebook, Google, Amazon and the like.

The main features of the legislation are:

  • It applies to for profit entities that do business in California, and
    a) has annual gross revenues in excess of $25 million, or
    b) annually buys, receives, sells or shares the personal information of 50,000 or more consumers, or
    c) derives 50% or more of its annual revenues from selling Consumers’ personal information.
  • The law only applies to the personal information of residents of California. These persons are defined as “Consumers”.
  • Consumers can request that a business disclose the categories and specific pieces of personal information it collected.
  • At or before the point of collection of personal information, the business shall inform Consumers of the categories of personal information to be collected, and the purposes for which the information will be used.
  • Businesses must allow Consumers to access their personal information.
  • Consumers may require a business to delete their personal information.
  • Consumers may require a business to disclose what personal information is collected, the source of the personal information, the purpose for the collection, and with whom the personal information is shared.
  • Consumers can “opt out” and direct a business not to sell their personal information.
  • Businesses must have a link on their website homepage titled “Do Not Sell My Personal Information” that allows consumers to opt out of having their personal information sold.
  • Businesses may not discriminate against Consumers for exercising their rights under the Act.
  • Personal information includes biometric information, internet browsing and search history, geolocation data and audio, electronic, visual, thermal and olfactory (yes, olfactory!) information.

The Act provides for a private right of action if a consumer’s personal information is subject to unauthorized access and exfiltration, theft or disclosure as a result of the business’ failure to have reasonable security procedures. Even if the Consumer does not suffer actual damages, they can still file a lawsuit for “statutory” damages. However, prior to initiating a lawsuit for statutory damages the Consumer shall provide a business 30 days’ written notice identifying the specific provisions of the Act the consumer alleges were violated. If the business cures the alleged violation, no lawsuit may be initiated for statutory damages. This notice requirement does not apply if the consumer alleges actual (not statutory) damages.

The wave of new data privacy and protection laws in a number of states might now qualify as a tsunami! Don’t expect it to stop any time soon. In fact, we can only expect the tsunami to gain strength with more states following the examples of California, Colorado and South Carolina.