April 14, 2020
The state of California recently passed new legislation giving its residents more control over their personal data, including what kind of information businesses collect from them and how that information is used. Big technology companies such as Facebook, Amazon, and Google are among the top companies that collect and use consumer information for advertising, among other purposes. The California legislature has highlighted the fact that many companies like these “may know where a consumer lives and how many children a consumer has, how fast a consumer drives, a consumer’s personality, sleep habits, biometric and health information, financial information, precise geolocation information, and social networks, to name a few categories.” Further, “the unauthorized disclosure of personal information and the loss of privacy can have devastating effects for individuals, ranging from financial fraud, identity theft, and unnecessary costs to personal time and finances, to destruction of property, harassment, reputational damage, emotional stress, and even potential physical harm.”
To protect against this harm and safeguard consumers’ private information, the California Consumer Privacy Act of 2018 (“CCPA”) now requires businesses to provide a high level of transparency to their business practices. Some of the requirements are:
• A business is required to comply with the CCPA if it does business in California and one or more of the following are true:
▸ it has gross annual revenues in excess of $25 million;
▸ it buys, receives, or sells the personal information of 50,000 or more consumers, households, or “Devices” (any physical object that is capable of connecting to the Internet, directly or indirectly, or to another device); or
▸ it derives at least half its annual revenues from selling consumers’ personal information.
• A business that collects consumer personal data must, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purpose for which the information will be used.
• A business that sells consumers’ personal information to third parties must provide notice to consumers of their right to “opt out” of the sale of their personal information. Notice is to be given by way of a “Do Not Sell My Personal Information” link on the business’ homepage that enables consumers to opt out of a sale of their personal information without having to create an account with the business.
• A consumer has the right to request that a business that collects personal information about the consumer disclose:
▸ the categories and specific pieces of information the business has collected from the consumer;
▸ the categories of sources from which that information is collected;
▸ the business purposes for selling or collecting personal information; and
▸ the categories of third parties with whom the business shares personal information.
• A business must promptly take steps to disclose and deliver the required information to a consumer free of charge within 45 days of receiving a “verifiable consumer request” (a request made by the consumer or on behalf of the consumer that the business can reasonably verify to be the consumer about whom the business has collected personal information).
• A consumer has the right to request that a business that collects personal information about the consumer delete such information. With only a few exceptions, the business must delete the consumer’s personal information from its records and direct any third party service providers to do the same, upon receipt of a verified consumer request.
• Certain exceptions exist where a business is not required to comply with a consumer’s request to delete the consumer’s personal information. One such exception is if the personal information is needed to complete the transaction for which the personal information was requested.
• Businesses are not required to provide consumers access to their personal information more than twice in a 12-month period.
• Businesses are not required to retain consumer personal information for single, one-time transactions, unless the information retained is sold to a third party or maintained in a manner that would be considered “personal information.”
• Consumers who choose to opt out of the sale of their personal information or who exercise any of their other rights under these laws shall not suffer discrimination in terms of price and quality of goods or services or any other incentives businesses offer.
• Businesses can offer financial incentives for being allowed to collect or sell personal information with certain restrictions.
The CCPA is enforced by the California Attorney General, but it also gives California consumers a private right of action, allowing them to sue individually or as a class. Penalties for running afoul of the CCPA are substantial. Businesses may face fines of $2,500 to $7,500 for each intentional violation of the new law.
Need more information?
ESKRIDGE LAW may be contacted by phone (310/303-3951), by fax (310/303-3952) or by email (geskridge@eskridgelaw.net). Please visit our website at eskridge.hv-dev.com.
This article is based on the law as of the date posted at the top of the article. This article does not constitute the provision of legal advice, and does not by itself create an attorney-client relationship with Eskridge Law.