California Data Privacy Act Takes Effect
Jan 23 2020On 1 January 2020, the California Data Privacy Act took full effect. Enforcement of the Act will begin on 1 July.
On 28 June 2018, California became the first U.S. state to adopt its own data privacy regulation. The California Consumer Privacy Act of 2018 (AB 375) applies to for-profit companies that either 1) have annual revenue of more than $25 million, 2) handle information of 50,000 or more consumers or 3) make 50% or more income from selling information. The law allows Californians to 1) determine what data is being collected, 2) see what data is be provided to third parties, 3) prevent the sale of their data, 4) access their data, and 5) control their data without penalty.
The law covers the data of California residents who can sue for the breach of their data for the amount of $100 to $750 per incident. The California Attorney General can also bring suit for breaches of data.
The law covers the data of California residents who can sue for the breach of their data for the amount of $100 to $750 per incident. The California Attorney General can also bring suit for breaches of data.
Specifics of the Five Rights
The first right gives the consumer the authority to find out the categories of information as well as the specific information a business is collecting about him or her. When collecting personal information, a business is required to notify a consumer about the categories of information being collected. Similar to the first right, the second right also allows the consumer not only to find out what information about them is being collected but also what information of theirs is being sold and the categories of third parties purchasing their data. The consumer also has the right, with several exceptions pertaining to the use of their data, to request that their information be deleted.
The third right allows the consumer to not have their data sold. Businesses are required to include a link on its homepage to a webpage entitled “Do not sell my personal information,” which allows the consumer to opt out of allowing their information to be sold. The business must also provide, if available, its online privacy policy and the privacy rights of the consumer under California law. If the business believes the consumer is under 16 years of age, the business cannot sell their data without their consent, and those under 13 must have guardian consent.
As part of the fourth right, the consumer can request specific information from the business, which has to fulfill the request free of charge up to twice a year. The business must provide two or more means for the consumer to submit requests for their information.
The fifth right prevents the business from treating a consumer differently if the consumer invokes any of their rights to control their personal information. For instance, a business cannot charge the consumer a different price, provide an inferior level of quality or deny the sale of goods or services. The Act does, however, allow the business to compensate the consumer for allowing the business to collect or sell his or her information.