When: The Act goes into effect on January 1, 2020, and will be subject to clarification by the legislature before that date.
Who: With important caveats, it applies to business that collect consumer personal data.
For purposes of the Act, “business” means a for-profit legal entity “that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in California.” To be subject to the Act, the business must satisfy one of the following thresholds:
- Have annual adjusted gross revenues greater than $25 million;
- Buy, receive, sell, or share personal information of 50,000 or more consumers; or
- Derive 50% of its annual revenue from selling consumers’ personal information. [1798.140 (c)]
The term “consumer” means “a natural person who is a California resident” as defined by California law. [1798.140 (g)]
“Personal information” is information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” In addition to data that typically is considered personal, the Act also includes categories like products or services “purchased, obtained, or considered, or other purchasing of consuming histories or tendencies,” geolocation information, “audio, electronic, visual, thermal, olfactory, or similarly information,” professional or employment-related information, and education information. [1798.140 (o)]
What: Generally, the Act gives consumers the right to request a business to:
● Request that a business disclose the categories and specific pieces of information the business has collected [1798.100]
● Request that a business delete personal information [1798.105]
● Request that a business disclose categories of personal information and its sources, the business purpose for sale or collection of the information, categories of third parties with whom the information is shared, and the specific pieces of personal information it has collected about the consumer. [1798.110]
● Request that a business that sells the consumer’s personal information disclose the categories of information it has collected and sold, categories of third parties to which it is sold, and the categories of information that the business disclosed for a business purpose [1798.115]
● Direct a business not to sell the consumer’s personal information [1798.120]
The Act prohibits businesses from denying goods, charging different prices or rates, or receiving different levels of service based on a consumer exercising his or her rights under the Act. [1798.125]
How: The privacy components of the Act are enforced by the state Attorney General, but the Act also provides a private right of action for any consumer whose nonencrypted or nonredacted personal information is “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” Consumers may recover damages to less than $100 and not greater that $750 per consumer per incident or actual damages, whatever is greater. The consumer’s civil action, however, may be preempted if the California Attorney General opts to prosecute an action following the breach or disclosure. The Act allows for a civil penalty of up to $7,500 for each violation in actions brought by the Attorney General. [1798.155]