In response to pressure from advocacy group Californians for Consumer Privacy, on June 21, 2018, California lawmakers proposed a new law, the California Consumer Privacy Act of 2018, which would significantly expand consumers’ rights over their data. The proposed law would apply to entities that do business in California, collect consumers’ personal information or determine the purpose and means of processing such data, and satisfy at least one of the following: (i) have over $25 million in annual gross revenue, (ii) buy or receive, sell or share for commercial purposes, the personal information of 50,000 or more consumers, households or devices, or (iii) derive 50 percent or more of revenue from the sale of consumer personal information.
The proposed law imposes several obligations on covered entities that may require such entities to reexamine and refine internal processes for identifying and processing certain requested data. For instance, upon receiving a verifiable consumer request, a covered entity would be required to provide a consumer with the categories and specific pieces of information collected, the sources of such information, the purposes for collecting or selling personal information, and the categories of third parties with whom the covered entity shares such information. Additionally, upon consumer request, the new legislation would require businesses to delete certain consumer data or withhold the sale of such data. Covered entities would be prohibited from discriminating against consumers who exercise any of their rights under the proposed law.
Covered entities that fail to cure an alleged violation within 30 days’ notice of alleged noncompliance could face a penalty of up to $7,500 if the violation is deemed intentional. The California Attorney General is responsible for enforcement of the proposed law, but consumers could also bring private action against a covered entity in certain circumstances if the California Attorney General decides not to prosecute.
If the legislation is not passed and signed into law by Governor Jerry Brown by June 28, 2018, similar legislation proposed by the Californians for Consumer Privacy group will appear on the state’s November ballot. Coming on the heels of E.U.’s implementation of the GDPR, the legislative activity in California reflects the growing political and constituency support in the U.S. to enact similar heightened protections for personal information.
The full text of the California bill can be accessed here.
The Californians for Consumer Privacy’s proposal can be accessed here.