This article by Catherine Essig, was originally published by Zwillgen. Note: The California Consumer Privacy Act ballot initiative discussed in this post was withdrawn from the November ballot on June 28, 2018, after the California legislature passed a bill, AB 375, of the same title.
A consumer privacy ballot initiative that would create new rights for consumers and affirmative obligations for businesses that collect, sell, and/or disclose consumers’ personal information is likely to appear on California ballots in November. The California Consumer Privacy Act of 2018 (the “Act”) gives California consumers the right to request what personal information a business has collected, sold, or disclosed about them, and to whom, and the right to opt out of the sale of their personal information. Additionally, the Act prevents businesses from denying, changing, or charging more for goods or services if a California consumer pursues his or her rights under the Act, and creates liability for businesses that experience a security breach if such businesses have not implemented “reasonable” security measures. The Act attaches potentially steep penalties.
In addition to enforcement by the Attorney General or a district attorney, who may seek civil penalties of up to $7,500 per violation, the Act contains a private right of action for consumers. Any violation of the Act is deemed an injury in fact to the consumer, without proof of harm – economic or otherwise. Aggrieved consumers would be entitled to recover statutory damages in the amount of $1,000 per violation or actual damages, and up to $3,000 per violation for knowing and willful violations of the Act. These same penalties also apply to businesses that suffer security breaches in the event the business failed to implement and maintain reasonable security procedures and practices.
The Act, which is intended to supplement existing laws including the California Online Privacy Protection Act and the California Shine the Light Act, has the potential to materially affect virtually all businesses – both online and brick-and-mortar – with operations in California. Businesses will need to be prepared to 1) respond to user data requests both through operational means and personnel training, 2) quickly halt the sale of user data upon request, and 3) implement user notices and updated privacy policies. Should the Act pass in November, it will only apply to personal information collected or sold by a business on or after a grace period of 9 months from the effective date, which would be the day after the election at which the Act is adopted.
Catherine Essig, Fellow at Zwillgen. Prior to joining ZwillGen, Catherine was a law clerk in the U.S. District Court for the Northern District of Texas. Formerly, Catherine interned at Facebook where she worked with the state policy department to monitor and analyze issues such as data breach notification laws, decedent accounts, and student privacy. During her time at Harvard Law School, Catherine worked as a student practitioner in the Berkman Center for Internet and Society’s Cyberlaw Clinic and completed a semester-long internship with the Massachusetts State IT Department.
This Halloween, learn what “Ghost” Job Postings are and how to avoid the spooky pheno...Read More
“Quiet quitting” has been defined as doing the bare minimum amount at work in an effo...Read More