After the EU GDPR followed by UK DPA and German DPA, we now have California Consumer Privacy Act of 2018 which has been passed to take effect from January 2020. (See the copy of the text here)
Under the new law, California consumers will have the right to:
— know all the data collected by a business and be able to transfer it twice annually for free.
— to opt out of having their personal information sold (but companies will then be able to charge those consumers higher fees).
— to delete their data.
— to tell a business it can’t sell their data.
— to know why the data is being collected.
— to be informed of what categories of data will be collected before it’s collected and to be informed of any changes to that.
— to be told the categories of third parties with whom their data is shared and the categories of third parties from whom their data was acquired.
— to have businesses get permission before selling any information of children under the age of 16.
According to the law,
Any consumer whose nonencrypted or nonredacted personal information, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:
(A) To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.
(B) Injunctive or declaratory relief.
(C) Any other relief the court deems proper.
(a) The obligations imposed on businesses by this title shall not restrict a business’s ability to:
(1) Comply with federal, state, or local laws.
(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.
(3) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.
(4) Exercise or defend legal claims.
(5) Collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information.
(6) Collect or sell a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California.
For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumer’s personal information occurred in California, and no personal information collected while the consumer was in California is sold.
This paragraph shall not permit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.
(b) The obligations imposed on businesses shall not apply
where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.
(c) This act shall not apply to protected or health information that is collected by a covered entity governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56 of Division 1)) or governed by the privacy, security, and breach notification rules issued by the federal Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Availability Act of 1996. For purposes of this subdivision, the definition of “medical information” in Section 56.05 shall apply and the definitions of “protected health information” and “covered entity” from the federal privacy rule shall apply.
(d) This title shall not apply to the sale of personal information to or from a consumer reporting agency if that information is to be reported in, or used to generate, a consumer report as defined by subdivision (d) of Section 1681a of Title 15 of the United States Code, and use of that information is limited by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).
(e) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, if it is in conflict with that law.
(f) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Driver’s Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.), if it is in conflict with that act.
The Act will be explored in greater details in due course through this column.