California Passes Strictest Data Privacy Law in the Nation—Even Businesses Outside of California Could be Affected

Closed silver bank vault

California has now enacted the strictest data privacy law in the nation.

The Consumer Right to Privacy Act of 2018 ("California Privacy Act"), which is set to go into effect on January 1, 2020,  seeks to give consumers more control over their data.  

New Privacy Requirements


Under the California Privacy Act, California consumers will have the right to:

  • Request that a business collecting personal information from a California consumer disclose to the consumer the specific pieces and the categories of personal information the business has collected about the consumer, the sources from which the personal information was collected, the business or commercial purpose for collecting or selling the personal information, and the categories of third parties with whom the business will share the personal information, and;
  • Prohibit a business from selling that consumer's personal information to third parties (the "right to opt out"); and,
  • Request that a business deletes any of the consumer's personal information the business has collected (subject to some exceptions), which will then require the business to direct its service providers to delete the consumer's personal information as well.

If a consumer exercises these rights, businesses will be prohibited from then discriminating against the consumer by denying goods or services, charging difference prices (including denying the use of discounts or receipt of benefits), or providing a different level of quality of goods or services.  However, a business will be allowed to offer financial incentives to consumers for not "opting out," including payments as compensation for the collection and sale of the consumer's personal information.

Additionally, the California Privacy Act sets out specific ways that businesses must inform consumers of their rights, such as placing a link on the business's Internet homepage entitled "Do Not Sell My Personal Information," which must enable a consumer to opt out of the sale of the consumer's personal information.

Security


On the security side, the California Privacy Act also provides consumers with a private right of action in the event their data is subject to unauthorized access, theft, or disclosure as the result of a business's failure to implement and maintain reasonable security procedures.

Beyond California


The California Privacy Act has far-reaching consequences beyond the state of California because it applies to any business that does business in California whether it is located in California or not, which meets any of the following three thresholds:

  • Has annual gross revenues over $25,000,000;
  • Buys, receives, sells, or shares personal information of 50,000 or more California consumers annually, or,
  • Derives 50% or more of its annual revenue from the sale of personal information of California consumers.

If such a business controls or is controlled by another entity and shares common branding, that entity will also be covered by the California Privacy Act. 

There May be Additional Changes to Come


The California Privacy Act was the result of a last-minute push by California lawmakers in response to a separate ballot initiative that gained traction earlier this year.  That initiative would have been placed on ballots in November and, if passed by California voters, would have required even stricter data practices for all companies collecting personal information from California residents. 

Proponents of the ballot initiative withdrew their proposal following the California Privacy Act's passage.

The California Privacy Act was passed in haste, so all businesses should be aware that California lawmakers may file "clean-up" or clarification bills that could amend the current provisions prior to the January 1, 2020 effective date.

--
© 2024 Ward and Smith, P.A. For further information regarding the issues described above, please contact Angela P. Doughty, CIPP/US, AIGP.

This article is not intended to give, and should not be relied upon for, legal advice in any particular circumstance or fact situation. No action should be taken in reliance upon the information contained in this article without obtaining the advice of an attorney.

We are your established legal network with offices in Asheville, Greenville, New Bern, Raleigh, and Wilmington, NC.

Subscribe to Ward and Smith