October 20, 2019

October 18, 2019

Subscribe to Latest Legal News and Analysis

California Passes Toughest Online Privacy Law in the U.S.

With the GDPR just over one month old, the California legislature has now passed its own version of the European privacy law, ushering in the toughest rules on internet privacy in the country. AB 375, the California Consumer Privacy Act of 2018 (the Act) received unanimous approval by the California Assembly and Senate and was signed into law by Governor Jerry Brown on June 28. The legislation was hurried through the California Assembly and Senate in less than a week to meet the deadline to pull a state ballot initiative in November that called for stringent privacy measures to protect California residents. The legislation specified that it would not go into effect unless the ballot initiative was dropped, which has now occurred.

Key Provisions

The law, which takes effect in 2020, applies to any entity doing business in the State of California that meets one of the following thresholds:

  • has annual gross revenues over $25,000,000;

  • sells or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or

  • derives 50% or more of its annual revenues from selling consumers' personal information.

The Act includes a broad definition of personal information and creates rights to know what data companies are collecting, why they are collecting it, and with whom they are sharing it. In addition, the Act provides that:

  • Consumers can bar covered businesses from selling their data, and businesses are prohibited from discriminating against consumers for exercising this right, including by charging different prices or providing a different quality of goods or services, unless the difference is reasonably related to the value provided by the data.

  • Businesses must disclose the purposes for which information is used. They are also required to provide a link to a "Do Not Sell My Personal Information" section on the home page of their websites to make it easy for consumers to opt-out.

  • Consumers have the right to request deletion of personal information.

  • Businesses are barred from selling the personal information of a consumer between 13 and 16 years of age, unless affirmatively authorized, as specified, to be referred to as the right to opt-in.

  • The law gives consumers a private right of action, enforced by the state Attorney General, for "certain unauthorized access and exfiltration, theft, or disclosure of a consumer's nonencrypted or nonredacted personal information," subject to recovery of statutory or actual damages, whichever is higher.

  • The Act creates a Consumer Privacy Fund in the General Fund to support the purposes of the bill and its enforcement.

  • Waivers of a consumer's rights under the Act are void.

As privacy is a matter of statewide concern, the Act also preempts inconsistent state, county, and municipal laws. It does not apply to the collection and use of information covered by federal laws such as the Health Information Portability and Accountability Act (HIPAA) and the Fair Credit Reporting Act, or to information collected pursuant to the Gramm-Leach-Bliley Act or Driver's Privacy Protection Act, if it is in conflict with those two laws.

While AB 375 bars businesses from penalizing consumers who exercise their rights under the Act, it permits businesses to offer financial incentives for the collection, sale, or deletion of personal information, including payments to consumers as compensation. And, as noted above, businesses are allowed to charge higher rates for goods or services to consumers who opt out, "if that price or difference is directly related to the value provided to the consumer by the consumer's data."

Importantly, the law specifies that the obligations on businesses shall not restrict their right to comply with applicable laws or legal and regulatory inquiries, cooperate with law enforcement, exercise or defend legal claims, or collect and use de-identified information. As a practical matter, most businesses must share data with multiple service providers to offer their services.

Future Rules and Actions

The Act envisions additional rulemakings to implement its provisions. For example, it contemplates new rules, within one year, to establish any exceptions necessary to comply with existing state or federal laws, and rules and procedures to facilitate consumer access requests, compliance with consumer access requests, and the development of a uniform opt-out logo or button. It is contemplated that additional rules will address required notices, procedures to verify a consumer who makes an access request, and monetary threshold adjustments, among other things, and the Attorney General is authorized to adopt additional regulations as necessary to further the purposes of the Act.

The Act includes some significant differences from the now-withdrawn ballot initiative. For example, the ballot initiative included a provision that required a 70% majority in both houses to change it after it became law, and another that provided a bounty for whistleblowers. Nevertheless, establishing a private right of action, with statutory damages, could create a bonanza for plaintiff's attorneys frustrated by legal barriers to data breach suits where no damages have been incurred.

The rush to passage to forestall the ballot initiative has already lead to suggestions that some modifications should be adopted, both by privacy advocates who think the law does not go far enough and by businesses who are concerned about restrictions, so this may not be the last word on the law. The details are important as California has often been at the forefront of expanding legislation. In 2003, for example, California was the first state to enact a data breach law, which proved to be the primary model for legislation passed by other states, all of whom now have passed data breach legislation. U.S. state data breach legislation was likewise a model for a data breach provision in the GDPR.

The sweeping provisions of California's privacy law could encourage other states, frustrated by inaction at the federal level, to follow suit. Variations in state data breach legislation creates challenges for businesses, since data breach notification triggers and obligations vary, as we have previously reported. This, in turn, may further prompt discussions about a general preemptive federal privacy law, so the state and federal privacy legislative landscape is expected to remain highly active for the foreseeable future.

© 2019 Keller and Heckman LLP


About this Author

Sheila Millar, Keller Heckman, advertising lawyer, privacy attorney

Sheila A. Millar counsels corporate and association clients on advertising, privacy, product safety, and other public policy and regulatory compliance issues.

Ms. Millar advises clients on an array of advertising and marketing issues.  She represents clients in legislative, rulemaking and self-regulatory actions, advises on claims, and assists in developing and evaluating substantiation for claims. She also has extensive experience in privacy, data security and cybersecurity matters.  She helps clients develop website and app privacy policies,...

Tracy Marshall, Keller Heckman, regulatory attorney, for-profit company lawyer

Tracy Marshall assists clients with a range of business and regulatory matters.

In the business and transactional area, Ms. Marshall advises for-profit and non-profit clients on corporate organization, operations, and governance matters, and assists clients with structuring and negotiating a variety of transactions, including purchase and sale, marketing, outsourcing, and e-commerce agreements.

In the privacy, data security, and advertising areas, she helps clients comply with privacy, data security, and consumer protection laws, including laws governing telemarketing and commercial e-mail messages, contests and sweepstakes, endorsements and testimonials, marketing to children, and data breach notification. Ms. Marshall also helps clients establish best practices for collecting, storing, sharing, and disposing of data, and manage outsourcing arrangements and transborder data flows. In addition, she assists with drafting and implementing internal privacy, data security, and breach notification policies, as well as public privacy policies and website terms and conditions.

As to intellectual property matters, Ms. Marshall helps clients protect their copyrights and trademarks through registration, enforcement actions, and licensing agreements.

She also represents clients in proceedings before the Federal Communications Commission and Federal Trade Commission.

Ms. Marshall is a Certified Information Privacy Professional (CIPP/US) through the International Association of Privacy Professionals (IAPP) and a contributing author of Beyond Telecom Law Blog and Consumer Protection Connection.

Education: Washington and Lee University (B.A., 1997); American University, Washington College of Law (J.D., 2002).

Admissions: District of Columbia; Maryland

Memberships: American Bar Association