California GDPR Now a Reality
Beginning January 1, 2020, the California Consumer Privacy Act of 2018 (the “Act”) will grant consumers more control and understanding into the content and use of their personal information online, creating one of the most comprehensive privacy measures in the United States. Even though financial institutions are already subject to strict laws surrounding the protection of personal information including the Gramm-Leach-Bliley Act (the “GLBA”) and SB1, financial institutions meeting the below requirements will also be subject to the Act.
The Act grants consumers the right to know what personal information businesses are collecting, why they are collecting it, and who they are sharing it with. Personal information is defined broadly and extends beyond the traditional definition of non-public personal information relating to an individual’s identity and financial information. It will also include a broad list of characteristics and behaviors, both personal and commercial. The Act gives consumers the right to require companies to delete their personal information as well as not to sell or share their data. Businesses cannot discriminate against consumers who exercise their rights under the Act.
The Act will affect businesses that (a) collect consumers’ personal information, (b) determine the purposes and means of processing consumers’ information, (c) do business in California, and (d) either:
- Have annual gross revenues of at least $25 million;
- Annually buys, receives for commercial purposes, sells, or shares for commercial purposes, either alone or in combination, the personal information of 50,000 or more people, households, or devices annually; or
- Derive half its annual revenue from selling personal information.
The Act explicitly states that it does not apply to personal information collected, processed, sold, or disclosed under the GLBA but only to the extent that it conflicts with the Act. Of course, this also raises implications for financial institutions’ vendors, which could impact your financial institution as well.
This groundbreaking law has elements in common with the General Data Protection Regulation (“GDPR”) that the European Union imposed earlier this year. Unlike GDPR, California does not require opt-in permission to collect information. Instead, consumers are required to act to request personal information, which businesses must then provide, and allows consumers the ability to require that information be deleted.
In the event of a data breach, consumers may be able to sue for up to $750 for each violation. In addition, the California Attorney General can also bring an action for intentional violations at up to $7,500 for each violation. Some good news is that businesses will have thirty (30) days to cure the problem before being liable.
The Act is the result of a last-minute attempt to head off a ballot measure that would have brought a different, arguably stricter, set of privacy rules to the state. However, with the Act not going into effect until 2020, it is anticipated that both consumer advocates and the technology community will lobby for further changes and/or interpretations.