July 23, 2019

July 23, 2019

Subscribe to Latest Legal News and Analysis

July 22, 2019

Subscribe to Latest Legal News and Analysis

California Voters Likely to Consider Enacting GDPR-Like Privacy Law in November

With more than double the number of required signatures well ahead of the verification deadline late this month, the citizen-initiated measure "The California Consumer Privacy Act of 2018" appears headed for the statewide ballot on November 6. If approved by a majority of Golden State voters, the ballot measure would greatly expand right-to-know and opt-out requirements, subjecting covered businesses to increased costs for compliance and strict liability for any violations.

If enacted into law, the ballot measure will apply to companies that conduct business in California or collect California residents’ personal information. Small businesses, however, will be spared, as the measure only applies to businesses that have annual gross revenues over $50 million, annually sell (alone or in combination) the personal information of 100,000 or more consumers or devices, or derive 50 percent or more of annual revenue from selling consumers’ personal information. Just as with Europe’s recently enacted GDPR, these covered businesses will have to decide whether to treat California consumers differently or implement these standards nationally.

Expanded Privacy Rights

The ballot measure builds on California’s Online Privacy Protection Act and Shine the Light law, which, together, already require businesses engaging consumers in California to post a privacy policy disclosing what personal information they collect and to provide a mechanism for consumers to opt out of sharing personal information for direct marketing purposes. The ballot measure, however, would require disclosure of personal information that is collected or shared for any reason—business-to-business, direct marketing, or other. The measure also defines "personal information" more broadly to include, for example, biometric data, browsing history and similar website interactions, geolocation data, and inferences drawn from any such information. The ballot measure does not apply to information protected under HIPAA.

California's ballot measure provides consumers, defined as California residents, with:

  • the right to know what personal information a business has collected about them;

  • the right to know what personal information about them has been disclosed and to whom; and

  • the right to direct a business not to sell their personal information (i.e., the right to opt out).

Covered businesses would only be required to disclose and/or provide such requested information to the same consumer once in any 12-month period. Should a consumer decide to opt out, this decision must be respected for at least 12 months and no subsequent sale of that consumer’s personal information is permitted without express consent. Further, covered businesses would be prohibited from charging different prices, providing a different quality or level of goods or services, or otherwise discriminating against consumers who exercise any of these rights.

Increased Obligations for Covered Businesses

If not already subject to and in compliance with the obligations under the GDPR, affected businesses would have to make some upfront investments in their data privacy practices. Most notably, covered businesses would need to be able to verify and respond to consumer requests for information within 45 days, in addition to tracking and respecting opt-out requests. The ballot measure requires two or more designated methods for submitting requests for information, including, at minimum, a toll-free telephone number and a website address (if applicable). Additionally, websites and privacy policies must be updated to include a description of consumers’ rights, a clear and conspicuous link on both the homepage and privacy policy page, titled "Do Not Sell My Personal Information," and lists of all categories of personal information collected by the business or sold or disclosed to third parties in the previous 12 months.

If approved by a majority of Californians voting in November’s election, covered businesses will have nine months to comply with the ballot measure.

Avenues for Enforcement and Financial Penalties

If the measure is enacted, covered businesses would be wise to comply immediately due to the risk of harsh financial penalties. The ballot measure provides multiple avenues for enforcement: a private right of action by consumers, a civil action brought by the Attorney General, and whistleblower actions. In any of these instances, the measure provides for damages of $1,000 per violation or actual damages, whichever is greater. For willful or knowing violations, the amount for each violation is "not less than one thousand dollars ($1,000) and not more than three thousand dollars ($3,000), or actual damages, whichever is greater, for each violation from the business or person responsible for the violation." Notably, the ballot measure provides that any consumer who has suffered a violation may bring an action for statutory damages—and that a violation "shall be deemed to constitute an injury in fact to the consumer who has suffered a violation." The ballot measure also incentivizes whistleblowers by providing a right to a percentage of any civil penalties.

Liability may also result if a third party, to which the covered business sold personal information, discloses the information in violation of the ballot measure and the covered business is found to have had actual knowledge or reason to believe that the third party intended to commit such a violation. Further, any security breach constitutes a violation under the ballot measure unless the covered business is found to have implemented and maintained "reasonable security procedures and practices."

As a citizen-initiated measure, 365,880 valid signatures are required to be certified for California’s November 6, 2018, statewide ballot. The deadline for signature verification is toward the end of June, but it is likely not a concern given that the initiative has already received more than double the required amount of signatures. Under California law, if the ballot measure is passed, it may only be amended by another ballot measure approved by the voters and passed by a vote of 70 percent of the members of each house of the legislature and signed by the governor. As expected, there is an opposition coalition comprising several major companies, but it may be weakening given the current climate created by the Cambridge Analytica scandal and rampant data breaches. Potentially affected companies should begin to consider the implications and costs of compliance given the chance this ballot measure becomes effective in November.

Copyright © by Ballard Spahr LLP

TRENDING LEGAL ANALYSIS


About this Author

David Stauss, Ballard Spahr Law Firm, Denver, Privacy and Litigation Attorney
Partner

David M. Stauss focuses on complex business and commercial litigation in state and federal courts. He handles all aspects of litigation on a wide range of substantive matters for clients, including product liability, landowner liability, and commercial lending.

Mr. Stauss is head of the Denver office's privacy and cybersecurity practice group. He advises clients on regulatory and statutory compliance issues, third-party vendor management policies and contractual provisions, cyber liability insurance retention and coverage analysis, information...

303-299-7363
Gregory Szewczyk, Ballard Spahr Law Firm, Denver, Privacy and Litigation Attorney
Associate

Greg Szewczyk is a litigator with experience serving as a member of several trial and arbitration teams. His responsibilities include examining witnesses at trial; drafting opening and closing presentations; drafting dispositive, discovery and pretrial motions, as well as appellate briefs; taking and defending depositions; arguing evidentiary and procedural issues; preparing witnesses for testimony; and drafting scripts for direct and cross-examinations. He is also a member of the Denver office’s cybersecurity practice group.

303-299-7382
Malia Rogers, Ballard Spahr Law Firm, Denver, Finance Law Attorney
Associate

Malia K. Rogers is an associate in the firm's Public Finance Department. In addition to her focus in public finance, Malia has experience with privacy and cybersecurity matters.

Before entering the legal profession, Malia was a marketing and business development professional, including at eBay Enterprise.

Professional Activities...

303-299-7356