On the heels of Colorado’s new cybersecurity legislation, California has now announced that it has  enacted the California Consumer Privacy Act of 2018. The legislation provides residents of California the right to:

  • be informed about the personal information that is collected about them;
  • be informed whether their information is sold to third-parties and who those third-parties are;
  • limit the sale of their personal information to third-parties;
  • be provided with access to their personal information; and
  • be provided with the right to delete their personal information.

Importantly, the new law adds the following categories of information to the definition of personal information:

  • records of personal property, products, or services, and “consuming histories or tendencies”;
  • biometric data;
  • clickstream and “other electronic network activity information”;
  • geolocation data;
  • consumer sensory information;
  • professional or employment-related information;
  • educational information not publicly available; and
  • “inferences drawn” from personal information.

“Personal information” does not include publicly available information and consumer information that is “de-identified.”

Consistent with the FTC’s “Start With Security” guidance, the law prohibits the collection of information that is not “reasonably necessary.”  

The Act provides California’s increased control of their personal information, including the right to know categories information collected and with whom it shared.  It provides consumers the right to opt-out of the transfer of their information and requires that consumer be provided with meaningful choices before their information is shared.  Children under the age of sixteen must opt-in.

The law will directly impact the manner by which marketers collect, store, disseminate and otherwise utilize consumer data.  It mandates the development and implementation of enhanced privacy policies and disclosures, and internal processes that address consumer requests regarding the use of data, including the sale and deletion thereof.  

Business are prohibited from discriminating against consumers for exercising their rights by, without limitation, refusing to make available products or services.  Financial incentives may be acceptable so long as they are not “unjust, unreasonable, coercive, or usurious.”

Not unlike Colorado’s cybersecurity legislation, third-party management controls are required, including responsible contract provisions and the diligent vetting of the data use practices thereof.

The Act is reminiscent of the European Union’s General Data Protection Regulation.  It will be enforced by the Attorney General and by private right of action. State AG enforcement carries stiff penalties of up to $7,500 per violation.

The new law will be effective as of January 1, 2020.  You can see the new legislation and various exceptions, here.

Contact a privacy and data use compliance law firm to discuss legislative trend that impact the interactive advertising community. 

Richard B. Newman is a regulatory litigation, investigations and compliance attorney at Hinch Newman LLP.  Follow him on LinkedIn.

ADVERTISING MATERIAL. Informational purposes only. Not legal advice. Always seek the advice of an attorney. Previous case results do not guarantee similar future result. Hinch Newman LLP | 40 Wall St., 35th Floor, New York, NY 10005 | (212) 756-8777.