Throughout the months leading up to the implementation of the EU General Data Protection Regulation (GDPR) — the EU’s radical overhaul of data privacy rules and regulations — we predicted that the states would begin enacting tougher, more stringent data privacy laws. (We even predicted that California would take the lead.) Yesterday, California enacted the California Consumer Privacy Act of 2018, which sets forth new requirements for the collection, use and sharing of personal information and disposes of a proposed ballot initiative which would have imposed substantially tougher privacy measures. Here is your “Renzulli Run Down” of several key aspects of the new law:
- The law applies to businesses with annual gross revenues over $25 million, or that meet other defined criteria.
- The law gives a number of rights to California consumers, including:
- The right to know what personal information is being collected about them.
- The right to know whether their personal information is sold or disclosed and to whom.
- The right to say no to the sale of personal information.
- The right to access their personal information.
- The right to equal service and price, even if they exercise their privacy rights.
- Like the GDPR, transparency is key under the new law. Businesses will be required to inform consumers of the categories of personal information being collected and the purposes for which that information is collected “at or before the point of collection.”
- Businesses will be obligated to delete personal information upon request, under certain circumstances, and will be required to ensure that their service providers do the same.
- The law also creates a private right of action for consumers, under certain circumstances, and provides for damages between $100 and $750 “per consumer per incident” or actual damages, whichever is greater.
Although the law does not go into effect until January 1, 2020, businesses need to assess existing data privacy policies and practices to ensure compliance before January 1, 2020. Now is the time to conduct those assessments, particularly given that every business should also be evaluating existing data privacy policies and practices to determine whether the GDPR applies and, if it does, to ensure compliance. (You can read more about the importance of GDPR compliance here and here.)
Please contact John Renzulli or Michael Patrick to discuss how Renzulli Law Firm can help you.