Just when you thought that you were done with compliance with data protection regulations, the State of California recently passed a law which expands consumer privacy protection. The California Consumer Privacy Act of 2018, which takes effect in 2020, is the most stringent privacy protection within the United States. While the law only applies to California companies and those companies doing business in California, the new law is likely to have broad application throughout the digital world.
The basic premise of the CA Privacy Act, while similar to the General Data Protection Regulation (GDPR), expands consumer rights regarding the collection and protection of personal information. The definition of personal information includes elements of GDPR and adds tracking data and unique identifiers, behavioral and profiling data, and professional data (specifically including employment-related data).
Like the GDPR, the law permits an individual to know what information is being collected about them, with whom that data is being shared and permit data collected about them deleted. The statute adds requirements about the sale/transfer of data to third parties and specifically permits an individual to opt out of data sales to third parties. The Privacy Act, in short, clearly establishes the principle that consumers own and control their personal information. Its greatest impact is likely to affect businesses that monetize personal information by selling such information to third parties.
One unique provision is that the law permits businesses to incentivize consumers who allow for the sale of their personal information. These financial incentives could include a different price, rate, level or quality of goods and services when “reasonably related” to the value provided to the consumer by use of the consumer’s data. However, the law adds potentially conflicting language that says businesses cannot discriminate against consumers who opt out.