NetDiligence Security & Privacy Advisory – California Consumer Privacy Act

Posted by Mark Greisiger

NetDiligence® Security/Privacy Advisory – June 28th, 2018
California Consumer Privacy Act (2018) Becomes Law; Takes Effect 1/1/2020

This NetDiligence Security/Privacy Advisory is published for the benefit of our cyber insurance carrier/broker clients and their insureds. We urge clients to take special note of the details included in this Advisory and take preventative/remedial action on a timely basis. Clients are welcomed to distribute this Advisory to their colleagues and others as they see fit, provided it is distributed without modification of its contents.

Today, June 28th, 2018, marks a turning point in consumer data privacy protection in the United States, as California enacts the strongest such law in the country, giving consumers greater rights to restrict how private businesses collect and share/sell their personally identifiable information with third parties.

California Governor Jerry Brown signed off on the California Consumer Privacy Act of 2018, hours after unopposed passage by both houses of the State Assembly. Passage was a cooperative effort designed to eliminate the need for a similarly-worded voter initiative that had qualified only days earlier for inclusion on the November, 2018, general election ballot. Substantial credit for passage of the law, also known as AB-375, was also shared by Californians for Consumer Privacy (led by Alastair Mactaggart) and relevant tech-sector stakeholders who might otherwise have fought the bill tooth-and-nail to protect their revenue interests.

A copy of the amended bill just prior to Governor Brown’s signature can be found at: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375. An official filing copy of the new law is expected within the near-term.

Taking effect in January, 2020 – and allowing sufficient time for businesses to prepare to meet their new compliance requirements – the new law provides for several important consumer protections, including:

(a) The consumer’s right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared.

(b) A business requirement to make disclosures about the information and the purposes for which it is used.

(c) The consumer’s right to request deletion of personal information and would require the business to delete upon receipt of a verified request.

(d) The consumer’s right to request that a business that sells the consumer’s personal information, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of 3rd parties to which the information was sold or disclosed – and require a business to provide this information in response to a verifiable consumer request.

(e) The consumer’s right to opt out of the sale of personal information by a business and would prohibit the business from discriminating against the consumer for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data.

(f) The business’ right to offer financial incentives for collection of personal information.

(g) Prohibiting a business from selling the personal information of a consumer under 16 years of age, unless affirmatively authorized, as specified, to be referred to as the right to opt in.

(h) Compel businesses to prescribe requirements for receiving, processing, and satisfying these requests from consumers.

(i) Prescription of various definitions for its purposes and would define “personal information” with reference to a broad list of characteristics and behaviors, personal and commercial, as well as inferences drawn from this information.

(k) Provide for a private right of action by California citizens in connection with certain unauthorized access and exfiltration, theft, or disclosure of a consumer’s nonencrypted or nonredacted personal information. with enforcement by the State Attorney General’s office.

The definitions incorporated within the new law – in addition to traditional personally identifiable information (PII) examples already incorporated elsewhere – also include biometric (e.g., DNA, fingerprints, retina/iris scans, recorded keystroke patterns, etc.), geolocation/GPS, “live” sensory (e.g., audio, visual, thermal, olfactory) and other types of data that are rapidly becoming part of a person’s “total digital personal footprint” in the 21st century.

Please stay tuned for additional updates on this important advancement in data privacy law, including subsequent efforts by the California government to fine-tune provisions of the law ahead of the January, 2020, effective date – as well as likely efforts by other U.S. States to review and enact similar legislation.

Thank you very much for your attention to this NetDiligence Security/Privacy Advisory, and please do not hesitate to reach out to us (at management@netdiligence.com) for further advice and assistance with your cyber risk management efforts!