The Act becomes effective Jan. 1, 2020; however, it notably provides an exception for when personal information is reported in or used to generate a "consumer report" as defined by the federal Fair Credit Reporting Act (FCRA). Thus, organizations should closely review the statutory language with legal counsel to determine whether the various requirements in the Act apply to a background screening report issued by a consumer reporting agency, such as Truescreen.

Applicability

This Act applies to any sole proprietorship, partnership, limited liability corporation, corporation, or other legal entity that:

• Has annual gross revenue over $25,000,000
• Alone or in combination, annually buys, receives for the business' commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices
• Derives 50 percent or more of its annual revenues from selling consumers' personal information

Exemptions

As mentioned above, Sec. 1798.145(d) of the Act states: "[t]his title shall not apply to the sale of personal information to or from a consumer reporting agency if that information is to be reported in, or used to generate, a consumer report as defined by subdivision (d) of Section 1681a of Title 15 of the United States Code, and use of that information is limited by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.)."

In addition to consumer reporting, the Act states that the "obligations" do not apply when:

• Complying with federal, state, or local laws;
• Complying with civil, criminal, or regulatory inquiries under federal, state, or local laws;
• Cooperating with law enforcement;
• Exercising or defending legal claims;
• Collecting, using, retaining, selling, or disclosing consumer information that is "de-identified or in the aggregate consumer information";
• Collecting information wholly outside of California;
• Collecting health information pursuant to HIPPA;
• Collecting information pursuant to the federal Gramm-Leach-Bliley Act;
• Collecting information pursuant to the Driver's Privacy Protection Act.

Requirements to Comply

The Act's consumer privacy protections and requirements generally fall under six distinct categories: 1) Covered Information; 2) Right to Request Information; 3) Right to Delete Information; 4) Notice & Opt-out; 5) Responding to Consumers and Forms; and 6) Discrimination. These categories cover several newly adopted policies, requiring applicable organizations to: comply with a consumer's request for information; delete a consumer's information, upon request; provide consumers an opt-out option; offer the organization's privacy information in a readily usable format; and operate without discrimination against a consumer who exercises his or her privacy rights.

1. Covered Information

This Act protects "personal information" including any information that "identifies, related to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." Examples of personal information might include identifiers such as a name, email address, social security number, or passport information. Personal information also includes commercial information and purchasing history, biometric information, internet and electronic network activity, geolocation data, education and professional information, or inferences about consumer preferences, characteristics, and psychological trends. Personal information does not include any information that is "publically available." The Act defines "publically available" as information that is "lawfully made available from federal, state, or local government records" or that is de-identified from the original consumer. Information is not "publically available" if it is aggregate consumer information or if the data is used for a purpose that is not compatible with the purpose for which the data is maintained.

2. Right to Request Information

Upon receiving a verifiable request, a business must comply with a consumer's request for information. A verifiable request provides information to identify the consumer with the personal information previously collected by the business. Any consumer has the right to request that a business that collects personal information to disclose to the consumer:

• The categories of personal information the business has collected;
• The categories of sources from which the personal information is collected;
• The business or commercial purpose for collecting or selling information;
• The categories of third parties with whom the business shares personal information;
• The specific pieces of person information that the business has collected about the consumer.

A consumer has the right to request that a business that sells the consumer's personal information, or that discloses it for a business purpose, disclose to the consumer:

• The categories of personal information the business has collected about the consumer;
• The categories of personal information that the business sold about the consumer and the categories of third parties to whom the personal information was sold;
• The categories of personal information that the business disclosed about the consumer for a business purpose.

3. Right to Delete Info

A consumer has the right to request for a business to delete any personal information the business has collected from the consumer. When a business receives a verifiable request to delete such information, the business must delete the consumer's personal information from its records and "direct any service providers to delete the consumer's personal information from their records."

If is it necessary for the business to maintain the consumer information, there are exceptions where a business is not required to comply with a request to delete information. Exceptions exist when the consumer's personal information is required to:

• Complete the transaction for which the personal information was collected;
• Detect security incidents or illegal activity;
• Debug to identify and repair errors;
• Exercise free speech;
• Comply with the California Electronic Communications Privacy Act;
• Engage in public or peer-reviewed scientific research and deletion would impair research;
• Enable solely internal uses that are reasonably aligned with the exceptions of the consumer based on the consumer's relationship with the business;
• Comply with a legal obligation;
• Use the personal information, internally, in a lawful manner;

4. Notice and Opt-Out

A business must provide notice to a consumer before collecting, selling, or disclosing information. All consumers must be given an "opt-out" option before the personal information may be used or shared. If a consumer chooses to opt-out, the business no longer has consent to use the personal information, unless the consumer "subsequently provides express authorization."

The Act creates a separate standard for minors, stating that anyone under the age of 16 must "affirmatively authorize the sale of their consumer's personal information," also known as opting-in.

5. Responding to Consumers and Forms

Businesses must provide information to a consumer but are not required to do so more than twice in a 12-month period. A business must deliver information by mail or electronically in a "readily usable format."

Businesses must have at least 2 locations where a consumer can request information that provide a toll-free telephone number and website address for the business. The business must disclose and deliver the information, free of charge, within 45 days of the consumer's request. The request form must be "reasonably accessible to consumers" and provide:

• A "clear and conspicuous" link titled "Do Not Sell My Personal Information" accessible on its homepage, its page for online privacy policies, and any page for California specific consumer privacy rights;
• Description of consumer privacy rights;
• Guidance to consumers on how to exercise their privacy rights;
• Assurance that a consumer's opt-out request will be respected.

6. Discrimination

Businesses cannot discriminate against a consumer "because the consumer exercised any of the consumer rights" permitted under this Act. The Act specifies some examples of discriminating against consumer including denying goods or services, charging different prices or rates, providing different quality levels, or suggesting that any of the mentioned outcomes may occur.

Businesses are permitted, however, to offer a different price, rate, level, or quality of goods or services if that change is "directly related to the value provided to the consumer by the consumer's data." Additionally, businesses may offer consumers compensation or financial incentives for the collection, sale, or deletion of personal information; the consumer must give prior opt-in consent which may be revoked at any time.

Conclusion

The California Consumer Privacy Act (the "Act") includes several provisions intended to increase consumer data privacy by imposing additional requirements on businesses that collect personal information. The most noteworthy provisions require applicable organizations to comply with a consumer's request for information, delete a consumer's information, upon request, and provide consumers an opt-out option. The Act also provides for several exemptions, including for personal information that is sold "to or from a consumer reporting agency" for a consumer report and used for a purpose "limited" by the FCRA. Organizations that conduct background screening would be well advised to consult with legal counsel before determining whether their use of consumer reports is exempt from the Act's requirements.