California Passes Comprehensive Online Privacy Legislation

July 2, 2018
Legal Update

California has enacted the California Consumer Privacy Act of 2018, a comprehensive online consumer privacy law which promises to upend the way businesses use consumer personal information. The preamble to the law cited the right to privacy enshrined in California’s Constitution, as well as the revelation earlier this year concerning Cambridge Analytica, where “tens of millions of people had their personal data misused,” as justification for passage of the bill.

The new law grants California consumers the right to access and control their personal data including:

Businesses that are subject to the law will need to take steps to come into compliance before it becomes effective on January 1, 2020. Among other things, businesses will be required to:

In addition, businesses may not discriminate against consumers who have opted out of having their personal information sold or shared, although businesses are allowed to offer consumers certain financial incentives in an attempt to prevent a consumer from opting out of the selling or sharing of personal information.

It took only a week for the new law to go from draft legislation to Governor Jerry Brown’s desk for signature. The law was fast-tracked to avoid a planned ballot initiative with provisions that were considered less desirable by both legislators and the tech industry. If passed, this ballot initiative would have required 70% approval from the Legislature to make any changes to it once it became law and would also have included a private right of action for any infraction.

The new law is enforceable by the California Attorney General and also includes a private right of action with statutory damages for unauthorized access or infiltration, theft or disclosure of unencrypted or unredacted consumer personal information as a result of the business’ failure to employ reasonable security measures.

The bill charges the Attorney General with drafting regulations to assist with its implementation that are informed by “broad public participation.” It is also anticipated that due to the swiftness with which the bill was passed, there will be some corrective amendments to follow.

For more information, please contact Jane Shea, Melissa Kern, Michael Nitardy or any other attorney in Frost Brown Todd’s Privacy and Information Security Law Practice Group.