• Related Professionals -

Cybersecurity, Privacy and Data Protection Alert: California Consumer Privacy Act

July 20, 2018

On June 28, 2018, California enacted the sweeping Consumer Privacy Act, which takes effect on January 1, 2020, that contains similar provisions to the European Union’s General Data Protection Regulation (GDPR).

Businesses collecting personal information on California residents that fall into one of the following categories should begin planning now in order to be in compliance before the Act’s effective date:

  • A business that has annual gross revenues in excess of $25 million.
  • A business that annually buys, receives, sells, or shares for commercial purposes 50,000 or more consumers’ personal information or derives 50 percent or more of its annual revenues from selling consumers’ personal information.

Certain exceptions will apply to exclude otherwise qualifying businesses from California’s new law. Two major exceptions include businesses governed by HIPPA regulations or the Gramm-Leach-Bliley Act.

Businesses that find themselves under the jurisdiction of California’s new privacy law should be aware that consumers will be armed with several individual rights:

  • A consumer shall have the right to request a business to disclose the categories and specific pieces of personal information that it collects about a consumer, its sources, its business or commercial purposes for collection or selling of information, and the types of third parties with whom the business shares information.
  • A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.
  • A consumer shall have the right to request that a business that sells the consumer’s personal information, or that discloses it for a business purpose, disclose to that consumer the categories of information collected and the identity of third parties to which the information was sold or disclosed.
  • A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information.

As many U.S. companies will be affected by this law, planning now and adjusting to the mandates is advised. Considering that some of the terms and certain provisions of the law need greater clarity, staying up to date on further interpretive guidance and possible amendments is important as well. Please contact Walt Green or Greg Reda if you have any additional questions regarding this amendment or cybersecurity.