By: Lindsay Volle, Attorney
The California Constitution grants a right of privacy. And now, with the passing of AB 375, also known as the California Consumer Privacy Act of 2018, this right to privacy has evolved to meet the needs of consumers in the modern world of data collection.
With every web search, companies collect analytics and gather information about consumers. Last week I searched for plumbers on the internet; this week I saw two advertising banners for plumbers in my area. Somewhere in the “world wide web” it has become known that I am in need of a plumber and that information is being used to create personalized, targeted advertising.
But what if I want to opt out? Beginning January 1, 2020, The California Consumer Privacy Act of 2018 will allow me to do so. The text of AB 375 provides “it is the intent of the Legislature to further Californians’ right to privacy by giving consumers an effective way to control their personal information, by ensuring the following rights:
(1) The right of Californians to know what personal information is being collected about them.
(2) The right of Californians to know whether their personal information is sold or disclosed and to whom.
(3) The right of Californians to say no to the sale of personal information.
(4) The right of Californians to access their personal information.
(5) The right of Californians to equal service and price, even if they exercise their privacy rights.
Great news for consumer protection, but what does this mean for California businesses? That depends. For-profit businesses that collect or receive consumer information and who meet any of the following criteria will be required to comply with the California Consumer Privacy Act of 2018:
- Has annual gross revenues in excess of $25 million
- Annually buys, receives for the business’ commercial purposes, sells or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households or devices
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
Based on the above criteria, it might seem that this new law only applies to “big” businesses with “big” marketing departments. However, the CCPA has practical implications for even small businesses who are marketing on the internet. For instance, Facebook and Google ads are popular marketing tools. But these ads use consumer’s collected information and data to target an audience. If more than 50,000 people see your ad, suddenly your business is subject to the law.
So if the law applies – what does this mean for my business? If your business activity would trigger the CCPA, your business will be required to:
- Disclose to a requesting consumer the categories and specific pieces of personal information the business has collected;
- Inform consumers, at or before the point of collection, the categories of personal information to be collected and the purposes for which the categories of personal information shall be used;
- Upon receipt of a verifiable consumer request, disclose and deliver (free of charge) the personal information as requested by consumers.
Additionally, if your business sells personal information to third parties, the consumer will have the right to opt out. A clear and conspicuous link titled “Do Not Sell My Personal Information,” will be required to enable consumers to easily opt out of the sale of the consumer’s personal information.
Businesses are not required to retain any personal information collected for a single, one-time transaction if such information is not sold.
Enforcement of this new law will vary depending on the extent or severity of the infringement. However, the text of the law authorizes broad authority for the Attorney General to prosecute actions against violations.