About the Law
Companies that do business in California, regardless of where they are located, must comply with the law if they exceed one of the following thresholds: (i) have annual gross revenues in excess of $25 million; (ii) buy, sell, or receive or share for commercial purposes personal information gathered from 50,000 or more consumers, households, or devices; or (iii) derive 50% or more of its annual revenues from “selling” consumers’ personal information.
Some questions remain about the precise meaning of the thresholds. For example, it is not specified whether “annual gross revenues” includes global revenues or only revenues from California.
Any business that collects a consumer’s personal information must, at or before the point of collection, inform the consumer as to (i) the categories of personal information to be collected; (ii) the purposes for which such personal information will be used; (iii) a description of a consumer’s rights under the Act, including a “clear and conspicuous” opportunity to opt out from the sale of his or her personal information; and (iv) the designated methods for submitting privacy inquiries and requests, including, at a minimum, a toll-free telephone number and a website address. These general disclosures must be made in the business’s online privacy policies and in any California-specific descriptions of a consumer’s privacy rights and updated at least once every 12 months. The clear and conspicuous opt out must be titled “Do Not Sell My Personal Information” and must be included on a business’ homepage.
A business must not discriminate against a consumer because the consumer exercised any of the consumer’s rights under this title, including, but not limited to, by: (i) denying goods or services to the consumer; (ii) Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; (iii) Providing a different level or quality of goods or services to the consumer, if the consumer exercises the consumer’s rights under this title; (iv) Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.
In essence, this prevents websites and publishers from denying consumers access to their services if they elect not to provide any personal information. IAB has strongly opposed similar provisions in the proposed EU ePrivacy Regulation.
Any business that receives a verifiable consumer request to access personal data must promptly take steps to disclose and deliver, free of charge to the consumer, (i) the categories of personal information it has collected about that consumer; (ii) the categories of sources from which the personal information is collected; (iii) the business or commercial purpose for collecting or selling personal information; (iv) the categories of third parties with whom the business shares personal information; (v) the specific pieces of personal information it has collected about that consumer. The Attorney General is tasked with promulgating to determine what constitutes a verifiable consumer request.
The information may be delivered by mail or electronically, and if provided electronically, the information must be in a portable and, to the extent technically feasible, in a readily useable format that allows the consumer to transmit this information to another entity without hindrance.
A business that receives a verifiable request from a consumer to delete the consumer’s personal information must delete the consumer’s personal information from its records and direct any service providers to delete the consumer’s personal information from their records.
Restrictions on Sale of Data
A business that has received direction from a consumer not to sell the consumer’s personal information or, in the case of a minor consumer’s personal information has not received consent to sell the minor consumer’s personal information is prohibited, from selling the consumer’s personal information after its receipt of the consumer’s direction, unless the consumer subsequently provides express authorization for the sale of the consumer’s personal information.
After several attempts by the California legislature to pass comprehensive privacy legislation, on June 28th, 2018 California Governor Jerry Brown signed in to law the CCPA – a first in the nation piece of consumer privacy legislation.
CCPA’s path to the Governor’s desk was anything but typical.
In 2017, a real estate investor named Alastair Mactaggart decided to take the issue of consumer privacy into his own hands. Despite having little knowledge of the issue, he provided the financial support for the drafting of a sweeping privacy measure to be placed on the ballot and considered in November of 2018.
Facing the prospect of a highly contentious battle over the ballot initiative, in which IAB was deeply involved, several members of the California legislature sought to take advantage of a peculiarity in the California constitution that enables the proponent of a ballot initiative to pull a measure from consideration before June 29th of an election year.
Just one week before the date the June 29 deadline, a bill similar to the initiative was introduced by state assembly member Ed Chau and state senator Robert Hertzberg, and offered to industry as a “take it or leave it” alternative to the ballot initiative. Despite virtually no input from industry, drastically overbroad definitions, and scores of drafting errors, the legislation was passed over industry objection.
A small technical amendment bill was passed in August of 2018, that extended the enforcement date to July 1, 2020. There will be also be a robust regulatory process by the California Attorney General that is expected to give further definition to the bill in 2019.