The state of California has enacted a sweeping consumer protection law that gives individuals significantly more power in how their personal information is used and sold by companies and would require companies to disclose the type of data they collect and store on consumers.
The California Consumer Privacy Act of 2018 was approved by the state legislature last week. It is scheduled to go into effect on Jan. 1, 2020.
Rather than maintaining two different sets of consumer protection provisions — one for California and one for the rest of the country — most companies are expected to adopt the California provisions and apply them nationwide. This would be similar to how companies adopted new European privacy rules and applied them globally.
The law applies to any company that does business in California or collects personal information on California residents, and meets any of the following thresholds: has annual gross revenues in excess of $25 million, annually buys, sells, shares, or receives the personal information of more than 500,000 California residents, or derives at least 50% of its revenue from the sale of personal information of California residents.
Among the protections consumers will now have under the law are:
- The right to request the categories of information that covered business have collected
- The business or commercial purpose for selling that information
- Which third parties that information is shared with
- The right to have any information about themselves deleted
- The right to opt out of having their personal information sold
The law also broadens the definition of personal information to include:
… information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The definition includes, among other things: names and other identifiers such as IP addresses; account names; driver’s license and passport numbers; commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies; biometric information; internet browser and search history, interaction with a website, application, or advertisement; location information; professional or employment-related information; educational information; and inferences drawn from any of the above information to create a profile about a consumer.
Under the law, consumers also have a private right of action to sue in the event their information is stolen in a data breach.