In early May, a group called Californians for Consumer Privacy gathered enough signatures for the Consumer Right to Privacy Act (CRPA) to qualify for the November 2018 ballot.
The ballot initiative builds on existing California laws directed at protecting the privacy of California consumers’ personal information, including the Shine the Light law (Civil Code §1798.83) and the California Online Privacy Protection Act (CalOPPA, Business & Professions Code §§22575-22579).
The CRPA sets forth a statutory framework that: 1) gives consumers the right to know what categories of personal information a business has collected about them and their children; 2) gives consumers the right to know whether a business has sold or disclosed their personal information and to whom; 3) requires businesses to stop selling a consumer’s personal information upon a consumer’s request; 4) prevents businesses from denying, changing, or charging more for a service if a consumer exercises the above rights; 5) requires businesses to safeguard consumers’ personal information and hold the business accountable for security breaches compromising a consumer’s personal information.
The CRPA also sets forth additional disclosure requirements for a business’s website and online privacy policy. For example, the CRPA requires that a privacy policy describe a consumer’s rights pursuant to the CRPA and list the categories of personal information that the business has collected in the preceding 12 months by reference to the specific categories of personal information enumerated in the CRPA. Additionally, websites of businesses that sell personal information are required to post a link on their homepage titled “Do Not Sell My Personal Information,” which must link to a webpage that allows a consumer to opt-out.
In contrast with the broad application of CalOPPA and Shine the Light law to companies doing business with California residents, CRPA more narrowly applies to companies doing business in the State of California that meet a certain revenue threshold or to companies primarily in the business of selling personal information. Under the CRPA, a business is defined as having a gross revenue in excess of $50 million, or that annually sells the personal information of 100,000 or more consumers or devices, or that derives 50% or more of its annual revenue from selling consumer’s personal information. Parent and subsidiary companies of such businesses that share common branding also fall under the CRPA’s definition of business.
While the CRPA’s primary definition of personal information leverages similar language for the term used in other privacy laws (and incorporates the categories of personal information set forth in the Shine the Light Law), it explicitly enumerates categories of information, notably: 1) unique identifiers (including probabilistic identifiers); 2) IP addresses; 3) commercial information, such as purchasing and consuming history and tendencies; 4) internet activity, including browsing history, search history and information regarding a consumer’s interactions with a website, application or advertisement; 5) psychometric data; and 6) inferences drawn from any of the enumerated categories. Personal information does not include publicly available information or information that has been de-identified.
The CRPA provides for broad enforcement powers. Importantly, a violation of the CRPA constitutes an injury in fact, and a consumer need not show money or property damages resulting from a violation in order to bring the action. Consumers can bring an action for statutory damages in the amount of $1,000 for each violation and up to $3,000 per violation for each knowing and willful violation. The CRPA also provides for enforcement by the California Attorney General. Pursuant to such enforcement, businesses could be liable for up to $2,500 per violation, and in the case of intentional violations, up to $7,500 per violation. Finally, the CRPA also provides a framework for whistleblower enforcement.
It may be too early to tell whether a majority of Californians will support and pass this ballot initiative in November. But with recent publicity of significant data breaches and mishandling of personal information, as well as a spotlight on European Union’s General Data Protection Regulation, companies that do business in the State of California and that fall under the CRPA’s definition of business should be prepared for the potential passage of the CRPA by understanding its requirements.