California Consumer Privacy Act of 2018
This past week, California passed legislation which affords its citizens many of the same protections as the EU's General Data Protection Regulation. The California Consumer Privacy Act of 2018 gives Californians the right to know the data companies have collected about them; the right to have such data deleted; the right to prevent the sale of such information; and the right to know which third parties their data is shared with. The State has the power to enforce the act, and individuals also can bring their own private actions in the event their data is breached. The CCPA even has its own web site: https://www.caprivacy.org/
The California Constitution was amended in 1972 to include a right to privacy. The Act declares that the right to control the use of personal information is part of this right of privacy.
Here are some notable provisions of the Act.
Upon receiving a data deletion request from a consumer, a business not only has to delete its own records, but also must, "direct any service providers to delete the consumer’s personal information from their records." Cal. Civil Code § 1798.105(c). However service providers are given an out. They can retain the personal information if it is necessary to complete a commercial transaction initiated by the consumer; detect security problems or fraud; or engage in research in the public interest.
Businesses are required to have a link on their homepage entitled, "Do Not Sell My Personal Information" that enables consumers to opt out of the sale of their information. § 1798.135(a)(1). The business then can't contact the consumer to request the sale of the information again for another 12 months.
When non-encrypted or non-redacted personal information is compromised in a data breach, the consumer will have a right to bring an action for damages of between $100 - $750 per incident, or actual damages - whichever is greater. Injunctiive or declaratory relief is also available. § 1798.150(a)(1).