On November 6, 2018, California voters will consider a ballot initiative called the California Consumer Privacy Act (“the Act”). The Act is designed to give California residents (i.e., “consumers”) the right to request from businesses (see “Applicability” below) the categories of personal information the business has sold or disclosed to third parties, with some exceptions. The Act would also require businesses to disclose in their privacy notices consumers’ rights under the Act, as well as how consumers may opt out of the sale of their personal information if the business sells consumer personal information. Key provisions of the Act include:
- Definition of Personal Information. Personal information is defined broadly as “information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device.” The Act includes a list of enumerated examples of personal information, which includes, among other data elements, name, postal or email address, Social Security number, government-issued identification number, biometric data, Internet activity information and geolocation data.
- Applicability. The Act would apply to any for-profit business that “does business in the state of California” and (1) has annual gross revenues in excess of $50 million; (2) annually sells, alone or in combination, the personal information of 100,000 or more consumers or devices; or (3) derives 50 percent or more of its annual revenue from selling consumers’ personal information (collectively, “Covered Businesses”).
- Right to Know. The Act would require Covered Businesses to disclose, upon a verifiable request from a California consumer, the categories of personal information the business has collected about the consumer, as well as the categories of personal information sold and/or disclosed for a business purpose to third parties. The Act would also require Covered Businesses to identify (i.e., provide the name and contact information for) the third parties to whom the Covered Business has sold or disclosed, for a business purpose, consumers’ personal information. Covered Businesses would be required to comply with such requests free of charge within 45 days of receipt, and would be required to provide this information only once within a 12-month period.
- Exemption. Based on a carve-out in the definition of “third party” (which is defined to exclude (1) “the business that collects personal information from consumers under this Act” or (2) “a person to whom the business discloses a consumer’s personal information for a business purpose pursuant to a written contract”), Covered Businesses would not be required to make the disclosures described above to the extent the Covered Business discloses personal information to another entity pursuant to a written contract with such entity, provided the contract prohibits the recipient from selling the personal information, or retaining, using or disclosing the personal information for any purpose other than performance of services under the contract.
- Disclosures and Right to Opt Out. The Act would require Covered Businesses to provide notice to consumers of their rights under the Act, and, where applicable, that the Covered Business sells their personal information. If the Covered Business sells consumers’ personal information, the notice must disclose that fact and include that consumers have a right to opt out of the sale of their personal information. Covered Businesses would be required to make this disclosure in their online privacy notice and must separately provide a clear and conspicuous link on their website that says, “Do Not Sell My Personal Information” and provides an opt-out mechanism. If a consumer opts out, the Covered Business would be required to stop selling the consumers’ personal information unless the consumer expressly re-authorizes such sale.
- Liability for Security Breaches. Pursuant to the Act, if a Covered Business suffers a “breach of the security of the system” (as defined in California’s breach notification law), the Covered Business may be held liable for a violation of the Act if the Covered Business “failed to implement and maintain reasonable security procedures and practices, appropriate to the nature of the information, to protect personal information.”
- Enforcement. The Act would establish a private right of action and expressly provides that a violation of the Act establishes injury-in-fact without the need to show financial harm. The Act establishes maximum statutory damages of $3,000 per violation or actual damages, whichever is higher. Separately, the Act also would be enforceable by the California Attorney General and would authorize a civil penalty of up to $7,500 per violation. The Act also contains whistleblower enforcement provisions.
If passed, the Act would take effect November 7, 2018, but would “only apply to personal information collected or sold by a business on or after” August 7, 2019.