California Sets the Stage with Sweeping Privacy Law

If your business is not yet paying full attention to privacy and data protection (or quietly waiting for GDPR to play out), California legislators have finally given you the opportunity to do so. On June 28, 2018, Governor Brown signed the California Consumer Privacy Act (AB 375) into law.

The California Consumer Privacy Act will become effective January 1, 2020. While companies will have a year and a half to plan its implementation, preparing to comply with the strictest privacy-related rules in the United States will be quite time-consuming. Many ambiguities and inconsistencies in the Act will need to be amended and clarified by the State’s Attorney General’s implementing regulations, as the Act was hastily drafted within a week (as opposed to over four years of drafting the EU’s General Data Protection Regulation (GDPR) that became enforceable on May 25, 2018), in order to avert a costly showdown over a ballot measure, cleared for a vote in California this fall, with even more stringent requirements.

A “GDPR-esque” Law Rooted in California’s Constitutional Right to Privacy‍

The Act applies in connection with the personal information of California residents processed by companies, and includes many concepts, such as individual rights, that are reminiscent of the EU’s GDPR. Among those concepts:

• “personal information” is defined much more broadly than typical under U.S. privacy laws. Personal information extends to any information that “identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This would include IP addresses, unique identifiers of a particular consumer or device as well as browsing histories and tendencies. In that respect, it is much more akin to personal data under GDPR than the long-used US standard of “PII” or “personally identifiable information”;

• transparency, a key tenet for privacy advocates and a core principle of GDPR, is very much at the heart of the Act, requiring businesses to be transparent with consumers about their data collection and processing activities and disclose the categories of personal information they collect, sell, and share; and​

• the GDPR’s individual rights, namely the right of access, the right to data portability and the highly contentious right to be forgotten, are all included in the Act.

Companies will also be required to provide consumers with the right to opt-out of the “sale” (also defined very broadly) of their personal information. To do so, companies must have a conspicuous link to a “Do Not Sell My Personal Information” page, which must enable consumers to exercise their right to opt out of the sale of their information.For consumers between 13-16, the consumer would have to provide express opt-in consent to allow their information to be sold. With respect to consumers under age 13, their parent or guardian will have to provide their affirmative consent.

In fact, those who have worked toward GDPR compliance will find themselves one step ahead of the pack.

Who Must Comply?‍

A company doing business in California will be subject to the Act if the company has annual gross revenues in excess of $25M. Additionally, companies will be subject to the Act if: (a) the company derives fifty percent or more of its annual revenue from selling consumer personal information; or (b) the company annually purchases, receives for commercial purposes, sells, or shares for commercial purposes personal information relating to fifty thousand or more consumers, households, or devices. In other words, the Act has a broad spectrum.

Although companies are prohibited under the Act from charging different prices or providing differing service levels to consumers that exercise their opt-out rights, the Act does allow business to offer certain financial incentives for the rights to collect and sell a consumer’s information.

Under the Act consumers may bring a private action against businesses. It is still unclear if the private right of action applies solely to traditional security breaches or also to violations of the Act.

We will continue to monitor developments, including legislative amendments. California tends to be at the forefront of privacy laws and we expect many states to follow with similar legislation. As with GDPR, we always recommend periodic data audits, as well as maintaining a data flow map – both of which are step one in moving toward compliance with privacy laws that have (and will continue to) become increasingly pro-consumer.