None

Security Issues – California Consumer Privacy Act Affects You

Author: Scott Lindsey

On June 28, 2018, California Governor Jerry Brown signed into law Assembly Bill 375. The text of the law starts simply: “The California Constitution grants a right of privacy." This is where the simplicity of the law ends. There were previous attempts to protect the privacy of California citizens, but it became a patchwork of confusing and disjointed laws. The new privacy law is definitive and broad, leaving little to interpretation.

The new law gives consumers the right to request a business to disclose:

The categories and specific pieces of personal information that it collects about the consumer
The categories of sources from which that information is collected
The business purpose for collecting or selling the information
The categories of third parties with whom the information is shared.

The law requires a business to provide this information in response to a verifiable consumer request.

The law also ensures the rights of consumers to effectively control their personal information by codifying the following rights:

To know what information is collected about them
To know whether their information is sold or disclosed and to whom
To say no to the sale of their information
To access their personal information
To have equal access to service and price, even if they exercise their privacy rights.

What Is Personal Information?

The law defines personal information as data that identify, relate to, describe, can be associated with, or could reasonably be linked, directly or indirectly, to a consumer or household. This is a broad definition and includes items such as real name, alias, postal address, unique personal identifiers, email address, account name, and driver's license number. Also included in the list of personal information are records of personal property; products or services purchased, obtained or considered; and other purchasing or consuming histories or tendencies. Other key elements of the personal information include browsing history, search history, and information regarding website interactions, applications and advertisements.

Deleting Personal Information

A key attribute of this law is the ability of a consumer to request that a business delete the information it has stored on the consumer. Upon a verifiable request from a consumer, a business must delete the consumer's personal information and direct any service providers in possession of the personal information also to delete the information. A potential issue with the execution of this deletion situation is data contained in backup resources. If a request to delete data is received, does a business need to remove the information from every data backup that might contain that information?

There are exceptions from the requirement for deletion, which are specific.

The data are required for the completion of a transaction or to finalize business dealings.
The data are saved to detect fraud or illegal activities or to protect against security incidents or malicious and deceptive activities.
The data are needed for the exercise of free speech or ensure the rights of another consumer under other laws.
The data are needed for compliance with legal obligations.
The data are retained by the business for exclusively internal use that is aligned with the expectations of the consumer.

Non-Discrimination

The law addresses discrimination against consumers exercising their rights under this law. A business must not discriminate against consumers by:

Denying goods or services
Charging different prices or rates
Providing different levels of service or preferential pricing for different levels of data access because they exercise their rights under this law
Suggesting that if they share their data they will get different pricing or service levels.

A business could offer financial incentives as compensation for the collection and use of personal information. A consumer would need to opt in and consent to acceptance of the incentives. The financial incentive will need to be reasonable, just and non-coercive in nature.

How Will It Work?

A business will need to make available to consumers two or more methods of submitting requests for information. At a minimum, a toll-free number and a website address are required. The business must promptly verify the request and will have 45 days to disclose and deliver the information to the requestor. An additional 45 days can be extended if reasonably necessary and fully communicated with the consumer. The disclosure of information shall cover a 12-month look-back from the date of the receipt of the verifiable consumer request. A business is not obligated to provide information twice in the same 12-month period.

Businesses must also provide a clear and conspicuous link on the business's home page titled “Do Not Sell My Personal Information." The consumer must be able to opt out of the sale of personal data.

Does My Business Need to Comply with This Law?

Companies doing business in California and satisfying one of the following thresholds are covered under the Privacy Act:

Gross revenue more than $25,000,000
Alone or in combination, annually buys or receives the personal information of 50,000 consumers
Derives 50% or more of its annual revenue from selling personal information.

What Are the Penalties for Violating This Law?

The penalties for the release of nonencrypted or non-redacted personal information, through exfiltration, theft or disclosure because of a business failure to implement and maintain reasonable security procedures and practices to protect the personal information of consumers may cause the following penalties:

Recovery of damages of not less than $100 and not greater that $750 per consumer per incident or actual damages, whichever is greater
Injunctive or declaratory relief
Any other relief the courts deem proper.

The courts can consider the circumstances of the parties in the case, the nature and seriousness of the misconduct, the number of violations, persistence of the misconduct, length of time of the misconduct, the willfulness of the misconduct, and the defendant's assets, liabilities and net worth.

A business will be given a 30-day notice of a pending action. The business will have the 30 days to cure the noticed violation and provide the consumer with a written statement that the violation has been cured.

What Does This Mean to the Rest of the Country?

Cyber security and data privacy are hot topics in entire country and the rest of the world. The European Union has enacted tough privacy laws, and California is the first state in the United States to follow suit with strong consumer privacy laws. Other states are watching closely the effect of the California law, and it is expected that other states will follow California in enacting their own privacy and security laws in the near future. Your business should take notice of this law and determine how your business will react if the states you do business in enact similar laws.

From the Editor: Scott Lindsey is President of CyberClearSafe and member of the ACT Security Issues Work Group.