Amster Rothstein and Ebenstein, LLP - Intellectual Property Law

ARE Privacy Law Alert:
CALIFORNIA ADOPTS THE CALIFORNIA CONSUMER PRIVACY ACT OF 2018 RELATING TO THE USE OF PERSONAL INFORMATION STARTING IN 2020

August 22, 2018
Author(s): Charles R. Macedo, Douglas A. Miro, David Goldberg, Chandler Sturm*

The California Consumer Privacy Act (“CCPA”), signed into law on June 28, 2018 and scheduled to go into effect on January 1, 2020, focuses on consumers’ rights and control over their personal information as well as transparency requirements related to companies’ data practices. The full text of the Act can be found at:  https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375.  With the intent to grant consumers more control and insight into the spread of their personal information online, this legislation places burdensome new requirements and restrictions on businesses that collect and sell personal information of California residents.

Under the CCPA, personal information encompasses any information that “identifies, relates to, describes, is capable of being associated with” or that could “reasonably be linked, directly or indirectly, with a particular consumer or household.” (1798.140(o)(1)).  Excluded from the definition is information that is publicly available. (1798.140(o)(2)).
 
The Act applies to any for-profit business that does business in California, collects and controls consumers’ personal information, and meets one of the following criteria:  
 
(1) has annual gross revenues in excess of $25 million; 
(2) buys, collects, sells, or shares personal information of 50,000 or more consumers or households; or 
(3) receives 50% or more of its annual revenue from selling consumers’ personal information.
 
(1798.140(c)).
 
Key features of the CCPA include the following rights granted to consumers with respect to their personal information:
 
The Right to Know What Personal Information Is Collected or Sold
 
The CCPA establishes a right to request that a business disclose:  
 
(1) the categories of personal information it has collected about that consumer; 
(2) the categories of sources from which the personal information is collected; 
(3) the business or commercial purpose for collecting or selling personal information; 
(4) the categories of third parties with whom the business shares personal information; and
(5) the specific pieces of personal information it has collected about that consumer.
 
(1798.110 (a)). 
 
At or before the time of collection, the business must affirmatively disclose what categories of  personal information will be collected and the purposes for which it will be used. (1798.100(b)).
 
In addition, the business must also provide two or more methods for consumers to submit requests for information (e.g., toll-free telephone number, mail, email). (1798.130(a)(1)).  Within 45 days of receipt of such request, a business is required to disclose the information to the consumer, free of charge. (1798.130(a)(2)).
 
The Right of Deletion
 
Under the CCPA, the consumer has the right to request the business to delete any personal information that the business has collected from the consumer. (1798.105(a)).  Businesses are obligated to honor the request, except if the personal information is necessary to:
 
•complete a transaction or contract with the consumer, 
•respond to security incidents or protect against fraudulent or illegal activity, 
•comply with a legal obligation, or 
•engage in scientific, historical, or statistical research in the public interest. 
(1798.105(d)).
 
The Right to Opt Out of the Sale of Personal Information
 
Consumers have the right to “opt out” of the sale of their personal information by a business to any third-parties. (1798.120(a)).  Businesses may not sell personal information without giving notice and a chance for affected consumers to opt out. (1798.120(b)).  The Act therefore requires a business to provide a “clear and conspicuous” link on its website, entitled “Do Not Sell My Personal Information,” leading to a webpage that enables a consumer to opt out. (1798.135(a)(1)).
 
The Right to Equal Service and Price If Privacy Rights Are Exercised 
 
The CCPA establishes that a business cannot deny, provide a different level of quality of, or charge different prices for goods or services because a consumer has exercised his or her rights under the Act. (1798.125(a)(1)).  However, there are exceptions to this right where the difference in prices or services is reasonably related to the value provided by the consumer’s data. (1798.125(a)(2)).  Businesses, therefore, may be permitted to charge consumers who request deletion of their information a different rate or level of service. Id.
 
* * * * * *
 
As for enforcement of the CCPA, a business that violates any provision of the Act may be subject to civil penalties imposed by the California Attorney General of up to $7,500 for each violation. (1798.155(b)).  In addition, the Act creates a private right of action, permitting a consumer to seek statutory or actual damages if the consumer’s personal information is subject to unauthorized access, exfiltration, theft, or disclosure “as a result of” a failure by the business to put “reasonable” security procedures and practices in place. (1798.150(a)(1)).  However, this right is limited, as consumers are required to provide businesses with 30 days’ written notice of the alleged violation before filing suit, and precludes an action of the business cures the alleged violation in that time frame. (1798.150(b)(1)).  In addition, within 30 days of filing, consumers must provide notice to the Attorney General, who has the authority to notify the consumer they must not proceed with the action. (1798.150(2)-(3)).
 
We will continue to monitor updates on whether the California state legislature continues to refine and amend the Act before the final version goes into effect on January 1, 2020.  In the meantime, please feel free to contact one of our attorneys regarding compliance strategies. 
 
* Charles R. Macedo and Douglas A. Miro are Partners, David P. Goldberg is an Associate and Chandler Sturm is a Law Clerk at Amster, Rothstein & Ebenstein LLP.  Their practice focuses on all areas of intellectual property law, including patent, trademark and copyright.  They may be contacted at [email protected], [email protected], [email protected] and [email protected]



View all ARELaw Alerts

Print

Upcoming Events

View all Events >

RSS FEED

Never miss another publication. Our RSS feed (what is RSS?) will inform you when new articles have been posted.

Amster Rothstein & Ebentein RSS Feed Subscribe now!

AREnet Access
©2007-2018 Amster Rothstein & Ebenstein LLP.    All rights reserved. | Disclaimer