California Enacts Sweeping Consumer Privacy Law

Similar documents
California Consumer Privacy Act: European-Style Privacy With a California Enforcement Twist

2017 Revisions to the ICC Rules of Arbitration and Comparison of Expedited Procedures Under Other Institutional Rules

Post-Grant Reviews Before The USPTO

Calif. Privacy Act Will Increase Data Breach Liability

Security Breach Notification Chart

Security Breach Notification Chart

Security Breach Notification Chart

Green Freight Asia Privacy Policy

Security Breach Notification Chart

DATA USE AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION

HIPAA BUSINESS ASSOCIATE AGREEMENT. ( BUSINESS ASSOCIATE ) and is effective as of ( Effective Date ). RECITALS

Chapter PERSONAL INFORMATION PROTECTION ACT. Article 01. BREACH OF SECURITY INVOLVING PERSONAL INFORMATION

UNITED STATES OF AMERICA FEDERAL TRADE COMMISSION ) ) ) ) ) ) ) ) ) ) )

Security Breach Notification Chart

Post-Grant Trends: The PTAB Strikes Back

PRIVACY POLICY. 1. OVERVIEW MEGT is committed to protecting privacy and will manage personal information in an open and transparent way.

Fragomen Privacy Notice

SCHWARTZ & BALLEN LLP 1990 M STREET, N.W. SUITE 500 WASHINGTON, DC

H.R./S. In the A BILL. To protect the privacy of personal information of consumers, the promotion

REVISOR FULL-TEXT SIDE-BY-SIDE

THE GENERAL ASSEMBLY OF PENNSYLVANIA HOUSE BILL

CODE OF CONDUCT FOR MEMBERS OF SASKATOON CITY COUNCIL

Connecticut Multiple Listing Service, Inc.

STATE DATA SECURITY BREACH NOTIFICATION LAWS

RETS DATA ACCESS AGREEMENT

DATA PROTECTION LAWS OF THE WORLD. South Korea

The Consumer Right to Privacy Act of2018 -Amended Version No (Filed September 1, 2017)

Selected Federal Data Security Breach Legislation

ASSETMARK TRUST COMPANY TOTALCASH MANAGER TM ACCESS AUTHORIZATION AGREEMENT

Privacy Policy. This Privacy Policy sets out the Law Society's policies in relation to the management of Personal Information.

TERMS OF SERVICE FOR SUPPORT NETWORK COMMUNITY HEART AND STROKE REGISTRY SITE Last Updated: December 2016

Working Draft of Proposed Rules (Redline Version)

ORDER FORM CUSTOMER TERMS OF SERVICE

STATE DATA SECURITY BREACH NOTIFICATION LAWS

ASSURANCE SYSTEMS INC. SUITE JIMMY CARTER BOULEVARD NORCROSS, GEORGIA TERMS OF SERVICE

Terms and Conditions for Use of Patton Redirection Services and Server Use

State Data Breach Notification Laws

State Data Breach Law Summary. November 2017

WilmerHale Webinar: Untangling IPR Estoppel and Navigating Into the Future

EUROPEAN COMMISSION DIRECTORATE-GENERAL JUSTICE

DATA COMMONS SERVICES AGREEMENT

JOINT RULES of the Florida Legislature

1 HB By Representative Williams (P) 4 RFD: Technology and Research. 5 First Read: 13-FEB-18. Page 0

1 SB By Senators Orr and Holley. 4 RFD: Governmental Affairs. 5 First Read: 13-FEB-18. Page 0

CASELLE, INC. Software as a Service Agreement

State Data Breach Laws

HARVARD PILGRIM HEALTH CARE, INC. PRIVACY AND SECURITY AGREEMENT

INDEPENDENT CONTRACTOR AGREEMENT

Sales Order (Processing Services)

State Data Breach Notification Laws

BYLAWS NEW ENGLAND LAW LIBRARY CONSORTIUM, INC. Amended as of January 2007 Adopted April 24, 2008

CONDITIONS DELEGATED REPORTING EMIR CLIENT REPORTING SERVICE AGREEMENT

AT&T. End User License Agreement For. AT&T WorkBench Application

Policies and Procedures

The Lawyer s Ethical and Legal Duties to protect Private Information

Breach Notification and Enforcement

CODE OF PRACTICE FOR RELEASE OF INFORMATION

BUSINESS ASSOCIATE AGREEMENT

Remote Support Terms of Service Agreement Version 1.0 / Revised March 29, 2013

HIPAA DATA USE AGREEMENT

H I P AA B U S I N E S S AS S O C I ATE AGREEMENT

EXHIBIT G PRIVACY AND INFORMATION SECURITY PROVISIONS

Model Business Associate Agreement

Financial Dispute Resolution Service (FDRS)

IRB RELIANCE EXCHANGE PORTAL AGREEMENT

DATA PRIVACY: THE CURRENT LEGAL LANDSCAPE (Mid-Year Report as of September 25, 2018)

Last revised: 6 April 2018 By using the Agile Manager Website, you are agreeing to these Terms of Use.

THIS HAITI TERMS OF SERVICE

NC General Statutes - Chapter 66 Article 29 1

HARRISBURG SCHOOL DISTRICT CONSULTING CONTRACT AGREEMENT

Strategic Partner Agreement Terms

ELECTRONIC ARTS SOFTWARE END USER LICENSE AGREEMENT FOR ORIGIN APPLICATION AND RELATED SERVICES

1 SB By Senators Orr and Holley. 4 RFD: Governmental Affairs. 5 First Read: 13-FEB-18. Page 0

INDICATORS OF COMPLIANCE WITH STANDARDS FOR BIRTH CENTERS END USER LICENSE AGREEMENT

UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF TEXAS HOUSTON DIVISION

NEW YORK IDENTITY THEFT RANKING BY STATE: Rank 6, Complaints Per 100,000 Population, Complaints (2007) Updated January 25, 2009

STATE DATA SECURITY BREACH NOTIFICATION LAWS

Addendum to Board Policy a Delegation of Board Authority

The Telephone Consumer Protection Act Overview

New York City False Claims Act

RENDIA, INC. SOFTWARE LICENSE AGREEMENT

Definitions The following terms have these meanings in this Policy: a. Act Personal Information Protection and Electronic Documents Act;

Party Subscriber Factiva Consorci de Biblioteques. Dow Jones Reuters Universitàries de Catalunya

Kupindo API Terms and Conditions

Investigating Privacy Breaches under HITECH and HIPAA

Condominium Management Regulatory Authority of Ontario Access and Privacy Policy

PUBLIC RECORDS POLICY FOR THE CITY OF DICKSON Adopted in Resolution

Patient Privacy and Security: Data Breach Reporting and other HIPAA Changes

State Data Breach Notification Laws

Affiliate Partnership Terms & Conditions

TERMS OF USE OF AUCTUS WEBSITE

SOFTWARE LICENSE TERMS AND CONDITIONS

End User License Agreement

ELECTRONIC ARTS SOFTWARE END USER LICENSE AGREEMENT

Terms of Business

Airtime Purchase. INSP Airtime Purchase. Inventory Ownership. Submission of Short and Long Form Material. Terms & Conditions Definitions

Project 23a3: Sonar for the Visually Impaired Final Design Report

ADR INSTITUTE OF CANADA, INC. ADRIC ARBITRATION RULES I. MODEL DISPUTE RESOLUTION CLAUSE

ELECTRONIC TRANSACTIONS TRADING PARTNER AGREEMENT BETWEEN DIRECT SUBMITTER AND WELLPOINT, INC

16 March Purpose & Introduction

Transcription:

California Enacts Sweeping Consumer Privacy Law July 2, 2018 On June 28, 2018, California enacted the California Consumer Privacy Act of 2018 (CCPA), a sweeping privacy law that provides consumers with broad notice, access, and deletion rights concerning many types of personal information and permits consumers to opt-out of the sale of their personal information. The law, introduced and passed within a week in order to head off an even stronger ballot initiative, takes effect on January 1, 2020, and applies to the hundreds of thousands of businesses above certain size thresholds that do business in California and that collect, sell, or disclose for business purposes consumers personal information. 1 Key Provisions The CCPA s key provisions include: Attorney Advertising

Disclosure of personal information collected. Covered businesses that collect personal information must, in response to a verified request from a consumer, disclose: (1) the categories of personal information the business has collected about that consumer; (2) the categories of sources from which the personal information is collected; (3) the business or commercial purpose for collecting or selling personal information; (4) the categories of third parties with whom the business shares personal information; and (5) the specific pieces of personal information the business has collected about that consumer. 1798.110, 1798.130(a)(3). Disclosure of personal information sold, or disclosed for a business purpose. Covered businesses that sell personal information or that disclose it for a business purpose, must, in response to a verified request from a consumer, disclose: (1) the categories of personal information that the business collected about the consumer; (2) the categories of personal information that the business sold about the consumer and the categories of third parties to whom the personal information was sold, by category or categories of personal information for WilmerHale California Enacts Sweeping Consumer Privacy Law 2

each third party to whom the personal information was sold; or if the business has not sold consumers personal information, it shall disclose that fact; (3) the categories of personal information that the business disclosed about the consumer for a business purpose; or if the business has not disclosed the consumers personal information for a business purpose, it shall disclose that fact. 1798.115, 1798.130(a)(4), (a)(5)(c). Deletion of personal information. Covered businesses must, in response to a verified request, delete personal information of the requester and make sure service providers do as well, with certain exceptions. 1798.105(a), (c)-(d). Opt-out for sales of personal information. Covered businesses may not sell personal information without giving notice and a chance for affected consumers to opt out. Covered businesses must place a link on their website homepage titled Do Not Sell My Personal Information that redirects to a webpage that enables a consumer to opt-out of the sale of the consumer s personal information. The business cannot require consumers to create an account in order to optout of the sale of their personal information 1798.120, 1798.115(d), 1798.135. Opt-in for sales of personal information of those less than 16 years of age. Covered businesses may not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, WilmerHale California Enacts Sweeping Consumer Privacy Law 3

unless the consumer, in the case of consumers between 13 and 16 years of age, or the consumer s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer s personal information. 1798.120(d). Enhanced disclosures of privacy rights and practices concerning collection, sale, and disclosure of personal information. Covered businesses must disclose in their online privacy policy or California-specific description of consumer privacy rights consumers rights under the CCPA and the methods for exercising those rights, as well as the categories of personal information the business collects, sells, or discloses for business purposes. The notices must be updated annually. These requirements extend beyond current privacy policy requirements set forth in the California Online Privacy Protection Act. 1798.130(a)(5). Methods for making verified consumer requests. Covered businesses are required to provide two or more methods for consumers to submit requests to exercise their rights as described above, including at a minimum a toll-free telephone number, and, if the business maintains a website, a website URL. Businesses must respond to requests for information within 45 days of receipt (though extensions are allowed under certain circumstances), must respond free of charge, and the disclosure must cover the 12 months preceding the request. The disclosure must be made in writing by mail or electronically at the consumer s option, and in a readily useable format to permit the consumer to transfer the WilmerHale California Enacts Sweeping Consumer Privacy Law 4

information to another entity without hindrance. 1798.130(a)(1)-(5). Broadened definition of personal information. As compared to the California On-line Privacy Act, the CCPA significantly broadens the definition of personal information to mean information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. The definition includes, among other things: names and other identifiers such as IP addresses; account names; driver s license and passport numbers; commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies; biometric information; internet browser and search history, interaction with a website, application, or advertisement; location information; professional or employment-related information; educational information; and inferences drawn from any of the above information to create a profile about a consumer. 1798.140(o) Deidentified or aggregated information. The CCPA s requirements do not apply to consumer information that is deidentified or in the aggregate. 1798.145(a)(5). Discrimination prohibited; financial incentives permitted. Covered businesses are prohibited from charging consumers who opt-out a different price or providing a different quality of goods or services, but businesses may offer financial WilmerHale California Enacts Sweeping Consumer Privacy Law 5

incentives for the collection, sale, or retention of personal information on an opt-in basis. 1798.125. No contractual waiver. Consumers cannot contractually waive their rights, as any provision to that effect in a contract shall be deemed contrary to public policy and void. 1798.192. Limitations and relation to other laws. Obligations under the CCPA shall not restrict a business s ability to comply with federal, state, or local laws, comply with civil, and criminal investigations and process, cooperate with law enforcement, or exercise or defend legal claims. The CCPA also does not apply with respect to personal information collected, sold, or for business purposes disclosed under certain federal laws, including protected health information under HIPAA and the HITECH Act and consumer reports under the Fair Credit Reporting Act. The CCPA also does not apply to personal information collected, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act or Driver s Privacy Protection Act if it is in conflict with that law. 1798.145. Penalties. The California Attorney General may enforce the CCPA s privacy provisions. Violations carry penalties of up to $2,500 per violation and up to $7,500 for intentional violations. 1798.155. Private right of action for certain data breaches. Consumers whose nonencrypted or nonredacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business' WilmerHale California Enacts Sweeping Consumer Privacy Law 6

violation of the duty to maintain reasonable security procedures appropriate to the nature of the information are afforded a private right of action (a) to recover damages in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater; (b) injunctive or declaratory relief; and (c) any other relief the court deems proper. In assessing the amount of statutory damages, the court is directed to consider the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant s misconduct, and the defendant s assets, liabilities, and net worth. Consumers seeking to bring an action must provide the prospective defendant with 30 days written notice, identifying the specific provisions the consumer alleges have been or are being violated. In the event a cure is possible, if within the 30 days the business actually cures the noticed violation and provides the consumer an express written statement that the violations have been cured and that no further violations shall occur, the consumer is not entitled to bring the action, unless the prospective defendant continues to violate the law. No such notice, however, is required prior to an individual consumer's initiating an action solely for actual monetary damages. In order to bring an action, a consumer must notify the Attorney General within 30 days that the action has been filed. The Attorney General, upon receiving such notice shall, WilmerHale California Enacts Sweeping Consumer Privacy Law 7

within 30 days, either (a) notify the consumer of the Attorney General s intent to prosecute an action; if the Attorney General does not prosecute within six months, the consumer may proceed with the action; or (b) refrain from acting within the 30 days, allowing the consumer to proceed. or notify the consumer that the consumer shall not proceed. 1798.150. Rulemaking. On or before January 1, 2020, the California Attorney General shall undertake a notice-and-comment rulemaking process to address implementation of the CCPA, including, among many other subjects, (1) updating as needed additional categories of personal information in order to address changes in technology, data collection practices, obstacles to implementation, and privacy concerns; (2) updating as needed the definition of unique identifiers to address changes in technology, data collection, obstacles to implementation, and privacy concerns; 2 (3) adding additional categories to the designated methods for submitting requests to facilitate a consumer s ability to obtain information from a business; (4) establishing any exceptions necessary to comply with state or federal law, including, but not limited to, those relating to trade secrets and intellectual property rights. 1798.185. Conclusion The CCPA is one of the most significant privacy laws ever enacted in the United States. It was enacted extremely quickly with little input from the business community. The business community will likely lobby for amendments to the WilmerHale California Enacts Sweeping Consumer Privacy Law 8

CCPA before it takes effect, especially with respect to the private right of action, and, as such, the law that takes effect in 2020 may prove to be different than the law that was enacted last week. The required rulemaking process will also allow input from affected companies, and the delayed effective date gives companies some time to prepare for compliance. But the CCPA establishes substantial new obligations, in terms that are not always clear. Affected companies will need to begin assessing their responsibilities and methods for fulfilling them promptly. 1 2 See Rita Heimes & Sam Pfeifle, IAPP Privacy Advisor, New California Privacy Law to Affect More than Half a Million US Companies (July 2, 2018). The thresholds are: (a) has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted for inflation; (b) alone or in combination, annually buys, receives for the business commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or (c) Derives 50 percent or more of its annual revenues from selling consumers personal information. Cal. Bus. & Prof. Code 1798.140(c)(1). All section references in text are to the Cal. Bus. & Prof. Code. The law defines unique identifiers and personal unique identifiers as a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services, WilmerHale California Enacts Sweeping Consumer Privacy Law 9

including, but not limited to, a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device. For purposes of this subdivision, family means a custodial parent or guardian and any minor children over which the parent or guardian has custody. 1798.140(x) Contributors Jonathan G. Cedarbaum PARTNER D. Reed Freeman, Jr. PARTNER Nicole Ewart SENIOR ASSOCIATE Wilmer Cutler Pickering Hale and Dorr LLP is a Delaware limited liability partnership. WilmerHale principal law offices: 60 State Street, Boston, Massachusetts 02109, +1 617 526 6000; 1875 Pennsylvania Avenue, NW, Washington, DC 20006, +1 202 663 6000. Our United Kingdom office is operated under a separate Delaware limited liability partnership of solicitors and registered foreign lawyers authorized and regulated by the Solicitors Regulation Authority (SRA No. 287488). Our professional rules can be found at www.sra.org.uk/solicitors/code-of-conduct.page. A list of partners and their professional qualifications is available for inspection at our UK office. In Beijing, we are registered to operate as a Foreign Law Firm Representative Office. This material is for general informational purposes only and does not represent our advice as to any particular set of facts; nor does it represent any undertaking to keep recipients advised of all legal developments. Prior results do not guarantee a similar outcome. 2004-2018 Wilmer Cutler Pickering Hale and Dorr LLP

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback