In June 2018, California lawmakers passed a groundbreaking, GDPR-like privacy law. It is the strictest in the nation.
The California Consumer Privacy Act of 2018 provides “consumers” (i.e., natural persons that are California residents) some fundamental rights in relation to their personal information.
- The right to know what personal information is collected about them, where it was collected from, how it is being used, whether it is being disseminated to third-parties and who it is disseminated to.
- The right to “opt out” of dissemination of personal information to third-parties.
- The right to have their personal information deleted.
- The right to receive equal treatment regardless of whether they exercise their privacy rights under the CaCPA.
The legislation’s requirements are disclosure heavy. Website operators are required to regularly update their privacy policies.
Interesting, operators are required to implement a “Do Not Sell My Personal Information” link on the home page. Contact a data privacy compliance attorney to discuss additional compliance obligations. The CaCPA will take effect on January 1, 2020 and will be enforced by the California Attorney General. It provides a private right of action that allows consumers to seek, either individually or as a class, statutory or actual damages and injunctive and other relief, if their “sensitive” personal information is subject to unauthorized access, theft or disclosure due to a failure to implement and maintain required reasonable security procedures.
While privacy advocates are cheering, the digital business community has been quite critical. Reports are that lawmakers are considering a host of technical corrections, which would clean-up drafting errors. Query whether any substantive provisions will be amended or watered-down to create more workable solutions.
The CaCPA contains expansive definitions of personal information, including traditional categories like names, email addresses and Social Security numbers. However, it also covers unique personal identifiers, IP addresses, geolocation data, browsing and search histories, and consumer profiles.
Trade groups are pushing for, without limitation, a change to the law’s definition of “personal information.” The advertising industry argues that data like cookies or IP addresses is not “personally identifiable.”
While not as strict as the General Data Protection Regulation, the CaCPA provides some of the strongest regulations in the country. Tech companies and digital marketers alike remain hopeful for substantive changes.
Richard B. Newman is a digital media and data privacy compliance law attorney at Hinch Newman LLP focusing on advertising and digital media matters.
Informational purposes only. Not legal advice. Always seek the advice of an attorney. Previous case results do not guarantee similar future result. Hinch Newman LLP | 40 Wall St., 35th Floor, New York, NY 10005 | (212) 756-8777.