New California consumer privacy laws which have the potential to set off a wave of class-action litigation against businesses go into effect January 1, 2020.
The California Consumer Privacy Act of 2018 (CCPA) allows consumers to demand that businesses tell them exactly what personal information the business has collected about them. Consumers will also have the right to prohibit businesses from selling their personal information (also known as “opting out”). Additionally, businesses cannot discriminate against consumers that opt out by charging them more or denying service to consumers who exercise these rights.
All businesses that collect or process consumer personal information, do business in California, and meet one of the following requirements must comply with the CCPA.
1. Have annual gross revenues over $25 million;
2. Buy, receive, sell, or share the personal information of 50,000 or more consumers, households or devices each year; or
3. Derive 50% or more of annual revenue from selling consumers’ personal information.
 Found at Cal. Civil Code s 1798.100 et seq.
Strikingly, the CCPA grants consumers the private right to sue businesses if their personal information is stolen or merely accessed without authorization due to a business’ failure to implement reasonable and appropriate security practices. Consumers can recover the greater of actual or statutory damages, which range from a minimum of $100 to a maximum of $750 per consumer per incident. A breach of thousands of records can quickly add up, and result in a very large judgment. We expect that class-action attorneys will exploit this opportunity.
Protected information includes not only identifiers such as name and address, but also internet activity information, such as the consumer’s interaction with a website; histories of products or services purchased or considered and search history; geolocation data; biometric information; and more, in both digital and non-digital forms.
COUNSEL TO MANAGEMENT:
If your business deals with personal information and meets one of the criteria above, you will need to take steps as soon as possible to comply with the CCPA. In addition to the requirements above, the CCPA mandates that you take affirmative steps including providing a clear and conspicuous link on your internet homepage titled “Do Not Sell My Personal Information” directing the consumer to a page where he or she can opt out; adding a description of the consumer’s rights under the CCPA to your online privacy policies; and notifying the consumer that their personal information will be collected at or before the time it is collected.