In light of how personal information may be vulnerable to misuse when shared on the Internet, AB 375, the California Consumer Privacy Act of 2018, was signed into law on June 28, 2018, by California Governor Jerry Brown. The law is to take effect on January 1, 2020. Although it can be amended until then, there are some key provisions companies in California will want to be aware of.
1. Companies subject to this provision are companies:
a. Who have an annual gross revenue in excess of twenty-five million dollars ($25,000,000);
b. Who alone or in combination, annually buy, receive, sell, or share for commercial purposes, the personal information of fifty thousand (50,000) or more consumers; and
c. Who derive fifty percent (50%) or more of its annual revenues from selling consumers’ personal information.
2. The bill grants consumers the right to request a business to disclose the following:
a. The categories and specific pieces of personal information that it collects about the consumer;
b. The categories of sources from which that information is collected;
c. The business purposes for collecting or selling the information; and
d. The categories of third parties with which the information is shared.
3. The bill also grants a consumer the right to request deletion of personal information and requires the business to delete such information upon receipt of a verified request.
4. A business that receives a verifiable consumer request from a consumer to access personal information shall promptly take steps to disclose and deliver, the personal information free of charge to the consumer. A business may provide personal information to a consumer at any time, but shall not be required to provide personal information to a consumer more than twice in a twelve (12) month period.
5. The law permits consumers to opt out of the sale of personal information by a business and prohibits the business from discriminating against the consumer for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services. However, there is an exception “if the difference is reasonably related to value provided by the consumer’s data,” a consumer may not be able to opt out.
6. Under this Act, companies are prohibited from the sale of personal data for individuals between the ages of thirteen (13) and sixteen (16) years old unless they specifically “opt in” by a parent or guardian who must provide consent.
7. Under this Act, consumers will have the right to undertake civil actions against a service in the event of a data breach or exposure. Businesses may be subject to damages ranging from one hundred dollars ($100) to seven hundred and fifty dollars ($750) per consumer per incident, or may be based on actual damages, whichever is greater.