We use cookies to give you the best online experience. By using our website you agree to our use of cookies in accordance with our cookie policy. Learn more here.Close Me
US legislatures are following the European Union's lead for
defining data protection. California just passed a sweeping new
consumer data protection law, giving California consumers more
control over how their personal data is used by businesses
operating in California, and providing for civil damages and fines
against businesses that violate the law's personal data
protection requirements.
The California Consumer Privacy Act of 2018
(California Act) was introduced on June 21 by California State
Assembly Member Ed Chau and State Senator Robert Hertzberg, and was
quickly signed into law on June 28 by
California Governor Jerry Brown. The California Act preempts a
stricter consumer data protection ballot initiative that was set
for the November 2018 California ballot. With the enactment of the
new California Act, that ballot initiative has been withdrawn as part
of a negotiation between California lawmakers and Alastair
Mactaggart, the San Francisco real estate developer responsible for
launching the initiative.
Right-to-Know and Right-to-Be-Forgotten
While not as strict as Mactaggart's initiative, the
California Act grants California consumers1
"right-to-know" and "right-to-be-forgotten"
data protections—hallmarks of Europe's recently enacted
General Data Protection Regulation (GDPR). Specifically, under the
California Act, businesses operating in Califonia2 must,
at the consumer's request, tell consumers what type of personal
data is being collected, why that personal information is being
collected, and if personal data is being shared with or sold to a
third party. Businesses also are required to delete any personal
information at the request of the consumer and to give consumers
the ability to opt-out of the sale of their personal information to
third parties.
Penalties for Noncompliance
Civil relief for the unauthorized disclosure of personal data
under the law is capped at a $750 fine per consumer per incident
or to actual damages (whichever is greater). Civil
penalties for intentional violations, imposed by the California
Attorney General, are capped at $75,000 per violation (however,
fines are only imposed on businesses that fail to cure violations
within 30 days of notification).
Covered Businesses
While the law is expansive in its consumer protection elements,
it only applies to larger businesses that meet one or more
of the following three criteria:
Gross revenue exceeding $25 million
Personal information of 50,000 or more California consumers or
households is maintained
50% or more of annual revenue comes from selling consumers'
personal data
The law provides time for covered businesses to prepare for its
enactment, as its requirements will not be imposed until January 1,
2020.
US Early Response to GDPR also Seen in Chicago
The California Act can be seen as early US response to
Europe's GDPR, as American citizens call for similar personal
data protection. For instance, in April, a wide-ranging personal
data protection city ordinance (Personal Data Collection and Protection
Ordinance) was introduced in Chicago. If passed, the ordinance
would impose GDPR-like restrictions on data brokers, website
operators, online service providers, mobile phone retailers, and
mobile application owners operating within the city. Specifically,
the Chicago ordinance would require website operators to obtain an
opt-in consent from Chicago residents before they could use,
disclose, or sell a resident's personal information. It would
also require mobile device retailers to provide notice about
location service functionality, and would prohibit mobile
applications from collecting, using, or disclosing geolocation
information without obtaining affirmative express consent from the
user. And it would require data brokers (defined as commercial
entities that collect, assemble, and possess personal information
about Chicago residents who are not their customers or employees)
to register with the city and provide the city with annual reports
about the collection and use of personal data.
Conclusion
It is clear from the text of these new laws that lawmakers,
activists, and private citizens around the United States are
watching Europe intently and working to provide US citizens with
more control over their personal data. Companies that process and
use personal data as part of their business will need to follow
suit.
Footnotes
1 “Consumer” is defined in the act as a
natural personal who is a resident in California.
2 The act defines “business” as an entity
that collects or processes or "determines the purposes and
means of processing" consumers’ personal data that does
business in the State of California.
This article is provided as a general informational service
and it should not be construed as imparting legal advice on any
specific matter.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
For your ease of reference, we reproduce here a formatted, hyperlinked copy of the California Consumer Privacy Act of 2018 (CCPA), current as of October 15, 2018.
On the heels of the California Consumer Privacy Act ("CCPA"), the state of New York has kicked off the New Year with proposed legislation in the same vein as the CCPA.