California Passes Toughest Online Privacy Law in the U.S.
With the GDPR just over one month old, the California legislature has now passed its own version of the European privacy law, ushering in the toughest rules on internet privacy in the country. AB 375, the California Consumer Privacy Act of 2018 (the Act) received unanimous approval by the California Assembly and Senate and was signed into law by Governor Jerry Brown on June 28. The legislation was hurried through the California Assembly and Senate in less than a week to meet the deadline to pull a state ballot initiative in November that called for stringent privacy measures to protect California residents. The legislation specified that it would not go into effect unless the ballot initiative was dropped, which has now occurred.
The law, which takes effect in 2020, applies to any entity doing business in the State of California that meets one of the following thresholds:
has annual gross revenues over $25,000,000;
sells or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or
derives 50% or more of its annual revenues from selling consumers' personal information.
The Act includes a broad definition of personal information and creates rights to know what data companies are collecting, why they are collecting it, and with whom they are sharing it. In addition, the Act provides that:
Consumers can bar covered businesses from selling their data, and businesses are prohibited from discriminating against consumers for exercising this right, including by charging different prices or providing a different quality of goods or services, unless the difference is reasonably related to the value provided by the data.
Businesses must disclose the purposes for which information is used. They are also required to provide a link to a "Do Not Sell My Personal Information" section on the home page of their websites to make it easy for consumers to opt-out.
Consumers have the right to request deletion of personal information.
Businesses are barred from selling the personal information of a consumer between 13 and 16 years of age, unless affirmatively authorized, as specified, to be referred to as the right to opt-in.
The law gives consumers a private right of action, enforced by the state Attorney General, for "certain unauthorized access and exfiltration, theft, or disclosure of a consumer's nonencrypted or nonredacted personal information," subject to recovery of statutory or actual damages, whichever is higher.
The Act creates a Consumer Privacy Fund in the General Fund to support the purposes of the bill and its enforcement.
Waivers of a consumer's rights under the Act are void.
As privacy is a matter of statewide concern, the Act also preempts inconsistent state, county, and municipal laws. It does not apply to the collection and use of information covered by federal laws such as the Health Information Portability and Accountability Act (HIPAA) and the Fair Credit Reporting Act, or to information collected pursuant to the Gramm-Leach-Bliley Act or Driver's Privacy Protection Act, if it is in conflict with those two laws.
While AB 375 bars businesses from penalizing consumers who exercise their rights under the Act, it permits businesses to offer financial incentives for the collection, sale, or deletion of personal information, including payments to consumers as compensation. And, as noted above, businesses are allowed to charge higher rates for goods or services to consumers who opt out, "if that price or difference is directly related to the value provided to the consumer by the consumer's data."
Importantly, the law specifies that the obligations on businesses shall not restrict their right to comply with applicable laws or legal and regulatory inquiries, cooperate with law enforcement, exercise or defend legal claims, or collect and use de-identified information. As a practical matter, most businesses must share data with multiple service providers to offer their services.
Future Rules and Actions
The Act envisions additional rulemakings to implement its provisions. For example, it contemplates new rules, within one year, to establish any exceptions necessary to comply with existing state or federal laws, and rules and procedures to facilitate consumer access requests, compliance with consumer access requests, and the development of a uniform opt-out logo or button. It is contemplated that additional rules will address required notices, procedures to verify a consumer who makes an access request, and monetary threshold adjustments, among other things, and the Attorney General is authorized to adopt additional regulations as necessary to further the purposes of the Act.
The Act includes some significant differences from the now-withdrawn ballot initiative. For example, the ballot initiative included a provision that required a 70% majority in both houses to change it after it became law, and another that provided a bounty for whistleblowers. Nevertheless, establishing a private right of action, with statutory damages, could create a bonanza for plaintiff's attorneys frustrated by legal barriers to data breach suits where no damages have been incurred.
The rush to passage to forestall the ballot initiative has already lead to suggestions that some modifications should be adopted, both by privacy advocates who think the law does not go far enough and by businesses who are concerned about restrictions, so this may not be the last word on the law. The details are important as California has often been at the forefront of expanding legislation. In 2003, for example, California was the first state to enact a data breach law, which proved to be the primary model for legislation passed by other states, all of whom now have passed data breach legislation. U.S. state data breach legislation was likewise a model for a data breach provision in the GDPR.
The sweeping provisions of California's privacy law could encourage other states, frustrated by inaction at the federal level, to follow suit. Variations in state data breach legislation creates challenges for businesses, since data breach notification triggers and obligations vary, as we have previously reported. This, in turn, may further prompt discussions about a general preemptive federal privacy law, so the state and federal privacy legislative landscape is expected to remain highly active for the foreseeable future.