California gets tough with new digital privacy law

Marco Green
July 6, 2018

"The privacy, and security administrative and technological infrastructure for complying with the newly-established rights of the consumer under this new and far-reaching law will be a key feasibility consideration", said Bernadette Broccolo, a partner with the law firm McDermott Will & Emery.

A consumer, defined as a "a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations", and would apply to such "consumers" even if identified only by unique identifier. While the CCPA expressly prohibits companies from discriminating against customers who choose to exercise these rights, the bill does not prohibit a business from charging a consumer a premium, provided the premium is a reasonable price and is related to the "value provided to the consumer by the consumer's collected data" (an awkward phrase, discussed further below). In addition, the law makes it harder for companies to share or sell data on those aged under sixteen.

(1) Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business's ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer. Each request from consumers must be formally analyzed as various scenarios may exist in which a business does not have to honor a consumer's request to exercise one of his/her rights. Healthcare organizations must also be careful when investing in outside companies that develop and market consumer-facing health or wellness mobile apps and solutions or when launching their own internal ventures that do the same.

Consumers may make this request to a business no more than twice in a calendar year.

Detecting security incidents or fraud, as well as debugging existing intended systems.

(7) To enable exclusively internal uses that are reasonably aligned with the expectations of the consumer based on the consumer's relationship with the business. The business must wait a minimum of 12 months before requesting to sell the PI of a consumer who has opted out. Financial incentives offered to the consumer for the collection, sale, or deletion of PI are permitted only with the prior opt-in by the consumer. If the company sells data about consumers, the law would also permit consumers to opt out of that practice. Consumers under the age of 13 would still be subject to the federal Children's Online Privacy Protection Act. However, the meaning of "personal information" for purposes of the private right of action is limited to the more traditional identifiers contained in California's data security statute, such as name, social security number, and credit card information, rather than the broad definition of "personal information" used elsewhere in the CCPA.

Injunctive relief is also available. Consumers can't sue unless they first notify the business and the state attorney general, and the business doesn't correct the problem in 30 days and the state attorney general does not bar the suit.

There are other specific requirements for privacy policy disclosures, method of consumer request, and business response and other important compliance requirements that we will discuss in detail over the coming weeks.

People will also be able to demand the deletion of their data, similar to the "right to be forgotten" in the European Union, with exceptions for things like free speech and the completion of transactions.

Other reports by Click Lancashire

Discuss This Article