You may have noticed that many on-line services have updated their privacy policies lately. For that you can blame or, depending on your point of view, thank the State of California. Effective January 1, 2020, the California Consumer Privacy Act of 2018 (“CCPA” or the “Act”), grants new rights and imposes new obligations on businesses that collect personal information, and requires that these changes be reflected in published privacy policies. While applicable only to California residents and enterprises that do business there, the impact of the CCPA is expected to be felt worldwide.

The Act contains many technical definitions, requirements and exceptions, but generally grants California consumers the right to demand that covered businesses disclose upon request: (i) the personal information it collects, (ii) the sources from which that information is collected, (iii) the business purpose for collecting the information, and (iv) the categories of third parties with which the information is shared. The consumer may also request to have their personal information deleted, and be allowed to opt-out of information sharing by demanding that their information not be sold or disclosed to third parties for “monetary or other valuable consideration.”

Businesses covered by the CCPA include virtually any for-profit undertaking that collects personal information, does business in California, and meets any one of the following thresholds: (i) annual gross revenues of $25 million; (ii) buys, sells or shares personal information of 50,000 or more consumers; or (iii) derives 50% or more of its annual revenue from the sale of consumer information.

The CCPA expressly prohibits businesses from discriminating against any California consumer who exercises a right granted by the Act, such as by denying goods or services, or charging different prices for them. Businesses may, however, offer consumers reasonable financial incentives as compensation for the collection or sale of personal information.

Businesses must include an explanation of these rights and obligations in their privacy policy, and must also provide a conspicuous link on its home page to a “Do Not Sell My Personal Information” site for opting-out of the sale of their personal information.

The CCPA provides a private right of action for violations, but only after the California Attorney General has decided whether or not to initiate an action of its own. The Attorney General has also been delegated the responsibility to publish regulations to further define and implement the Act.

Although enforceable only by or on behalf of California residents, the CCPA should be on the radar of all businesses that collect personal consumer information. Since its passage, similar bills have been introduced in 15 states, including Maryland. Moreover, there may be businesses that accord consumers everywhere at least some of the rights granted by the Act, rather than go to the expense of maintaining systems that discriminate among those residing inside or outside of California. It is, therefore, incumbent on all businesses that collect personal consumer information, and the attorneys advising them, to pay attention to the rollout and implementation of the CCPA. They might be next in line.

Written by MSBA Staff.