We often discuss fashiontech and how to build a strong business that revolves around it in a legal manner on this blog. We thought it would be interesting to move away from the prevention side and address what can sometimes happen in court. We’ll therefore be looking at a decision about the concept of “frivolous lawsuits” in the SAfter EU’s General Data Protection Regulation, it is California’s turn to introduce a new privacy act: the California Consumer Privacy Act of 2018. This law, which will go into effect beginning January 1st, 2020, protects all people who are considered California residents for tax purposes. We therefore thought it would be a good idea to give Law on the Runway blog readers a quick overview of this new law.

Please use this as general information, not as legal advice. If you have any questions regarding data privacy regulations, please consult an attorney.

Who must comply

The California Consumer Privacy Act of 2018 mainly targets entities that use data to make a significant part of their revenue. To be more precise, the Act applies to businesses who have an annual gross income in excess of $25 million, who annually buy, receive for their commercial purposes, sell or share for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households or devices, and who derive 50 percent of more of their annual revenues from selling consumers’ personal information.

Knowledge is primordial

The right to know is one of the four basic rights that were given to California consumers regarding their personal information. This entails having a privacy policy to inform consumers about the use of their data as well as being able to provide more specific information when requested about what personal data the business is collecting, where it came from, what the data will be used for, whether or not it is disclosed or sold to a third-party as well as who it is being disclosed or sold to.

Businesses must provide consumers with at least two ways to submit their requests for disclosure (these means must at least include a toll-free telephone number and a website). Once a consumer request is received, businesses will at 45 days to provide the relevant information.

Opting out is an option

Consumers will be able to decide whether or not they want their personal information to be sold to third-parties. Businesses who engage in such practice will need to disclose it to consumers and will have to provide them with the ability to opt out through a “Do Not Sell My Personal Information” link on their website’s homepage.

Be ready to delete data when requested

The Act allows consumers to request deletion of the personal information a business has collected about them. When such a request is made, businesses must not only delete the data from their records, but also ask service providers to delete that information.

However, there are a few circumstances when a business may keep a consumer’s personal information, even after a request for deletion. Businesses may retain data to comply with a legal obligation, to exercise a right provided for by the law or if the data can be valuable in detecting security incidents, for instance.

Violations will lead to penalties

Intentional violations to the California Consumer Privacy Act of 2018 may lead to civil penalties of up to $7,500 per violation. It is also important to note that consumers have, under the Act, a private right of action, allowing them to seek statutory or actual damages, whichever is greater. Statutory damages range between $100 and $750.

As with all Law on the Runway posts, please data privacy regulations, you may email hello@lawontheruway.com.