Last week, California Governor Jerry Brown signed into law AB 375, the so-called California Consumer Privacy Act of 2018. The Act takes effect in January 2020 and includes some features of the GDPR. Under the Act, California consumers will have the right to request that a business that collects a consumer’s personal information disclose to the consumer the categories and specific pieces of personal information the business has collected. This includes disclosure of the categories of sources from which the personal information is collected, the business or commercial purpose for collecting or selling personal information, and the categories of third parties with whom the business shares personal information.
A consumer also has the right to request that a business delete any personal information about the consumer which the business has collected from the consumer. The business must comply with the deletion request unless one of the listed exceptions applies. In addition, consumers have the right to request information from a business that sells the consumer’s personal information or that discloses it for a business purpose. Consumers may also direct a business not to sell the consumer’s personal information, referred to as the right to “opt out.” Significantly, businesses must give notice to consumers that their information may be sold and that consumers have a right to opt out. Businesses cannot discriminate against a consumer because they opt out or exercise any of their other rights under the Act.
The Act defines “personal information” broadly to include commercial information, Internet browsing and search history, identifiers such as Internet Protocol address, and professional or employment-related information. However, personal information specifically does not include publicly available information, meaning “information that is lawfully made available from federal, state, or local government records.” “Publicly available” does not include biometric information collected by a business without a consumer’s knowledge, or consumer information that is deidentified or aggregate consumer information.
The Act gives consumers the right to bring civil actions for statutory or actual damages or injunctive relief against businesses that violate its provisions. If the action is purely for statutory damages and the consumer has not suffered actual pecuniary damages as a result of a violation, the consumer must first provide the offending business with 30 days’ written notice identifying the specific provisions of the Act the consumer alleges have been or are being violated. If the business is able to cure the violation and provides written notice that no further violations shall occur, then the consumer cannot bring an action for statutory damages.
Employers who do business in California will need to take steps to comply with the provisions of the Act. While the Act only applies to California consumers, it may be easier to implement the requirements across all U.S. operations. In addition, other states may follow suit and pass similar statutes.
We will update the blog with significant privacy law developments for employers in California and elsewhere.