California Legislature Passes Sweeping Privacy Law

On June 28, 2018, California passed an expansive privacy law—the California Consumer Privacy Act of 2018—that grants California consumers broad rights to control their personal information. The law was passed by the legislature and signed into law by Governor Brown in an effort to preempt an initiative on the November ballot that would have imposed much stricter requirements. While not as strict as Europe’s General Data Protection Regulation, California’s law will be the strictest in the nation and will impose significant new obligations on companies doing business in California with respect to personal information of California residents.  

Under the new law, which takes effect on January 1, 2020, consumers will have a number of new rights, which the legislature views as extensions or related to the right of privacy in the California Constitution, including the right to know what personal information is being collected about them, the right to know whether their personal information is sold or disclosed and to whom, the right to say no to the sale of personal information, the right to access their personal information, and the right to equal service and price, even if they exercise their privacy rights. Consumers will also have the right to request companies to delete information in certain circumstances.

To which businesses does the law apply?

The law applies to companies that do business in California and satisfy one or more of the following three thresholds: (1) having annual gross revenues in excess of $25,000,000, (2) annually buying, receiving for commercial purposes, selling, or sharing for commercial purposes the personal information of 50,000 or more consumers, households, or devices, or (3) deriving 50 percent or more of revenues from selling consumer data.

What obligations does the law place on businesses?

The law was prompted by recent events, including massive data breaches and the use of large amounts of Facebook data by Cambridge Analytica, which raised demands for more transparency and control over the use of personal data. The intent of the law is to protect the specific rights identified above.

In order to protect these enumerated privacy rights, the law grants a number of new rights to consumer and correspondingly places significant new obligations on businesses:

• Broad Definition of Personal Information: The new law considerably broadens the types of data that is considered personal data, including information about a person’s protected status (e.g. race, sexual orientation), biometric data, transaction history (products or services purchased), online personal identifiers, IP addresses, a person’s history, browsing history, search history, geolocation data, education information, audio, electronic, visual, thermal, olfactory, or similar information, professional or employment-related information, information regarding a consumer’s interaction with an Internet website, application, or advertisement, and profiles about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. Certain kinds of “publicly available” information are exempted from the definition of personal information and protections of the law.
• Right of Transparency: Consumers will have the right to request a business to disclose the categories and specific pieces of personal information the business has collected, the categories of sources of information from which it was collected, with whom the information has been shared or sold, and the business purpose for collecting or selling the information. It requires businesses that collect a consumer’s personal information to, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. In addition, a company cannot sell a consumer’s personal information unless they have given notice to the consumer of the sale and the ability to opt-out. Companies must provide online and toll-free options to exercise these rights and not act upon a consumer’s request without first verifying the consumer’s identity. These requests must be responded to free of charge within 45 days of receiving a verifiable request.
• Right of Deletion: Consumers have the right to request that a business delete any personal information previously collected. In order to facilitate these consumer requests, businesses must make available two or more designated methods for submitting requests, including, at a minimum, a toll-free telephone number and a function on the website. These rights of deletion are not absolute, however. A company can retain information in a number of circumstances, such as to complete the transaction, provide a good or service, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, detect security incidents, debug repairs, exercise free speech, engage in public or peer-reviewed research, and comply with legal obligations or use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.
• Right to opt-out of sale of personal information: The law gives consumers the right to opt out of the sale of their personal information to third parties and directs businesses to provide information about this opt-out on their homepages. If the consumer is under the age of 16 and the business has actual knowledge of the consumer’s age, the business is prohibited from selling the consumer’s personal information unless the minor (or a guardian if the minor is younger than age 13) opts in to the sale of their personal information. Once the consumer opts out, the business cannot sell their information without the consumer’s express written consent. The definition of “sale” is broad and includes selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration. However, the new laws carve out some important exceptions to the definition of a sale, including where the consumer intended to interact with the third party, sharing with a service provider provided notice is given of such sharing, and in the event of a merger or sale of the company as long as the data is used consistently with the seller’s privacy policy. 
• No discrimination for exercising privacy rights: The law prohibits a business from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the consumer by the consumer’s data. However, a business may offer financial incentives, including payments to consumers as compensation for the collection, sale, or deletion of personal information. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by the consumer’s data.
• Exceptions: There are a number of important exceptions to the law, including that it does not apply to protected health information under the federal Health Insurance Portability and Availability Act of 1996 or the California Confidentiality of Medical Information Act, personal information covered by the Gramm-Leach-Bliley Act applicable to financial institutions, or information provided to consumer reporting agencies. It also does not apply to de-identified and aggregated information. It also does not restrict a company’s ability to comply with federal, state, or local laws, comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities, cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law, or exercise or defend legal claims.
• Private Right of Action: The law provides a new private right of action in connection with security breaches. An individual, whose unencrypted and non-redacted information is subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information, may institute a civil action for statutory damages of $100 to $750 per incident or actual damages, whichever is greater.

The new California law will dramatically change the way companies collect and use personal information from consumers. Companies that already comply with GDPR will have an easier time adapting to these new rules, but policies, practices, and procedures will need to be examined and developed over the next year and a half to ensure that they are ready to comply when the new law takes effect on January 1, 2020.

The full text of the bill is available here. 

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Scott W. Pink, an O’Melveny special counsel licensed to practice law in California and Illinois, and Randall W. Edwards, an O’Melveny partner licensed to practice law in California, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted. 

© 2018 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.