California Consumer Privacy Act of 2018 Bill Passes

California’s Constitution grants a right of privacy. Existing law provides for the confidentiality of personal information in various contexts and requires a business or person that suffers a breach of security of computerized data that
includes personal information, as defined, to disclose that breach, as specified.

Beginning January 1, 2020, the bill would grant a consumer the right to:

  • request a business to disclose categories and specific pieces of personal information collected about a consumer, categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared.
  • require a business to make disclosures about personal information and the purposes for which it is used
  • request deletion of personal information and would require the business to delete upon receipt of a verified request, as specified
  • request that a business that sells the consumer’s personal information, or discloses it for a business purpose,
  • disclose the categories of information that it collects and categories of information and the identity of 3rd parties to which the information was sold or disclosed
  • require a business to provide this information in response to a verifiable consumer request.
  • opt out of the sale of personal information by a business and prohibit the business from discriminating against
    the consumer for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data.
  • authorize businesses to offer financial incentives for collection of personal information.

The bill would:

  • prohibit a business from selling the personal information of a consumer under 16 years of age, unless affirmatively  authorized, as specified, to be referred to as the right to opt in
  • prescribe requirements for receiving, processing, and satisfying these requests from consumers and various definitions for its purposes and would define “personal information” with reference to a broad list of characteristics and behaviors, personal and commercial, as well as inferences drawn from this information
  • prohibit the provisions described above from restricting the ability of the business to comply with federal, state, or local laws, among other things
  • provide for its enforcement by the Attorney General
  • provide a private right of action in connection with certain unauthorized access and exfiltration, theft, or disclosure of a consumer’s nonencrypted or nonredacted personal information
  • prescribe a method for distribution of proceeds of Attorney General actions. The bill would create the Consumer Privacy Fund in the General Fund with the moneys in the fund, upon appropriation by the Legislature, to be applied to support the purposes of the bill and its enforcement. The bill would provide for the deposit of penalty money into the fund
  • require the Attorney General to solicit public participation for the purpose of adopting regulations, as specified
  • authorize a business, service provider, or 3rd party to seek the Attorney General’s opinion on how to comply with its provisions
  • void a waiver of a consumer’s rights under its provisions, and
  • condition its operation on the withdrawal of a specified initiative from the ballot.