California Privacy Act and Reservist Financial Obligations
California Enacts Provisions Regarding Consumer Privacy Act
The state of California enacted provisions relating to its Consumer Privacy Act of 2018. The Act applies to businesses that collect, sell or disclose for business purposes personal information collected from consumers and grants consumers a number of rights related to the data collected by businesses about them. These provisions are effective on January 1, 2020.
The Act defines “personal information” as “any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The definition includes, but is not limited to: names and other identifiers such as IP addresses; account names; driver’s license and passport numbers; commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies; biometric information; internet browser and search history, interaction with a website, application, or advertisement; location information; professional or employment-related information; educational information; and inferences drawn from any of the above information to create a profile about a consumer.
“Business purpose” is defined under the Act as “the use of personal information for the business or a service provider operational purposes, or other notified purposes, provided that the use of personal information is reasonably necessary and proportionate to achieve the operational purpose for which the personal information is collected or processed or for another operational purpose that is compatible with the context in which the personal information is collected.”
The Act applies to any business, whether or not based in California, that collects personal information from California residents and satisfies one or more of the following thresholds: (1) has annual gross revenue in excess of $25 million, (2) annually obtains personal information of at least 50,000 California residents, and (3) it derives 50 percent or more of its annual revenues from selling the personal information of California residents.
Businesses that collect personal information must in response to a verified request from a consumer disclose the categories and specific pieces of personal information the business has collected about that consumer; the categories of sources from which that information is collected; the business purposes for collecting or selling the information; the categories of third parties with whom the business shares the information.
Under the Act, a consumer also has a right to request a business that sells or discloses a consumer’s personal information for a business purpose to disclose to the consumer the categories of personal information that the business collected about the consumer; the categories of personal information that the business sold about the consumer and the categories of third parties to whom the personal information was sold, by category or categories of personal information, for each third party to whom the personal information was sold.
Consumers also have the right under the Act to request a business to delete their personal information which the business has collected from them unless the data is required for specific listed purposes cited in the Act. Businesses are mandated under the Act to disclose in their online privacy policies or on their internet website the consumer’s right to request the deletion of the consumer’s personal information.
A business that receives a verifiable request from a consumer to delete the consumer’s personal information must delete the consumer’s personal information from its records and direct any service providers to delete the consumer’s personal information from their records.
A business that sells consumers’ personal information to third parties is required to provide a notice to consumers informing them that their data may be sold and that the consumers have the right to opt out of the sale of their personal information.
Furthermore, businesses that sell consumers’ personal information must place a clear link on their business Internet homepage, titled “Do Not Sell My Personal Information” that would enable a consumer to opt out of the sale of the consumer’s personal information. Consumers are not required to create an account in order to exercise their right to opt out of the sale of their personal information.
A business may not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers between 13 and 16 years of age, or the consumer’s parent or guardian in the case of consumers who are less than 13 years of age, has authorized the sale of the consumer’s personal information.
The Act prohibits businesses from denying goods or services, charging a different price or providing a different quality of goods or services for consumers who opt-out of selling their personal information. The Act however allows businesses to offer financial incentives for the collection, sale, or the deletion of personal information on an opt-in basis and may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by the consumer’s data.
The Act requires businesses to provide two or more methods for consumers to submit requests to exercise their rights provided under the Act. Businesses must respond to requests for information within 45 days of receiving a verifiable request, must respond free of charge, and the disclosure must cover the 12 months preceding the request. The disclosure must be made in writing, or by mail or electronically at the consumer’s option, and in a readily useable format to permit the consumer to transfer the information to another entity without hindrance.
The obligations under the Act shall not restrict a business’s ability to comply with federal, state, or local laws, comply with civil, and criminal investigations and process, cooperate with law enforcement, or exercise or defend legal claims. The act also does not apply to personal information collected under certain federal laws such as the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), or the Fair Credit Reporting Act (FCRA).
The Act also provides for a private right of action to any consumer whose nonencrypted or nonredacted personal information is subjected to an unauthorized access, theft, or disclosure as a result of the business’ violation of the duty to maintain reasonable security procedures and practices appropriate to the nature of the information.
Finally, the Act provides that, on or before January 1, 2020, the California Attorney General shall solicit broad public participation to adopt regulations for the implementation of the Act.
California Amends Provisions Regarding Deferment of Financial Obligations for Reservists
Under the California Military Families Financial Relief Act, a reservist who is called to active duty is authorized to defer payments on mortgages, credit cards, retail installment accounts and contracts, real property taxes and assessments, vehicle leases, and obligations owed to utility companies, for the period of active duty plus 60 calendar days, or 180 days, whichever is the lesser. The reservist is required under the law to deliver to the obligor (1) a copy of his or her activation or deployment order and any other information that substantiates the duration of the service member’s military service, and (2) a letter signed by the reservist, under penalty of perjury, requesting a deferment of financial obligations, in order for the obligation or liability to be subject to the provisions of the Act.
This amendment removes the requirement to provide a signed letter under penalty of perjury and instead requires the reservist to deliver a written request for a deferment of financial obligations to the obligor. Under the amendment the “written request” includes an electronic communication. These provisions are effective on January 1, 2019.
Rhona Kyeyune, LLM, is a regulatory compliance consultant with CLA. She is a graduate of Makerere University and earned her master of laws at Boston University School of Law.
Comments are closed.