At the end of June 2018, the California legislature quickly passed, and Governor Jerry Brown signed, the California Consumer Privacy Act of 2018 (AB 375), codifying a significant number of data privacy rights, similar in some respects to the GDPR, for California residents. The statute does not go into effect until January 1, 2020 and there is much speculation that the bill was rushed through the legislature to the Governor’s desk to stave off a more restrictive ballot measure that the large data companies heavily opposed and the law, as enacted, may undergo significant changes prior to its effective date. Although the scope and impact of the California law may change before it becomes effective, companies should nevertheless study the legislation and develop a compliance strategy prior to 2020. In addition to complying with the California data privacy scheme, corporations and their legal and compliance teams should expect other states to follow California’s lead on this critical issue and plan accordingly.
The law grants consumers (defined as all citizens of California) the following rights with respect to their personal information (PI): (i) to know what personal information is being collected about them; (ii) to know whether their personal information is sold or disclosed and if so, to whom; (iii) to “say no” to the sale of PI; (iv) to access their own PI; and (v) if they do exercise their privacy rights with respect to their personal data, to receive equal levels of service and treatment by businesses as those consumers who do not exercise these rights.
The California definition of PI is somewhat broader than the definition in the GDPR. “Personal Information” is “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The definition of PI goes on to include, but is not limited to, various categories of information: name, address, email addresses, social security, driver’s license and passport numbers; products or services purchased; internet browsing and search history; and education and employment-related information. PI does not include publicly available information, which is defined as information that is lawfully made available by a government agency, and which is used for the purpose for which it was made public.
As written, the law applies to businesses that collect consumers’ PI, do business within the State of California, and either: (i) have annual gross revenues in excess of $25,000,000; (ii) alone or in combination annually buy, sell, or share the PI of 50,000 or more consumers, households or devices; or (iii) derive 50% or more of their annual revenues from selling consumers’ PI.
If subject to the statute, businesses collecting a consumer’s PI must, at or before the point of collection, inform the consumer as to the categories of PI to be collected and the purposes for which the PI will be used. Uses of the PI outside the scope of the initial disclosure requires additional notices to the consumer. Further, consumers have the right to request that a business disclose, and a upon receipt of such a request, a business has the obligation to disclose: specific categories of PI which it collects; categories of sources from which the PI is collected; the commercial use for collecting and selling the PI; categories of third parties with whom the business shares the PI; and specific pieces of PI the business has collected about the consumer. Further, upon request, a business must provide a consumer with access to collected PI in such a manner that allows the consumer to port the data to another entity. A consumer may make such requests no more than twice in a calendar year.
In addition to obtaining information regarding the PI that a business has collected and access to such information, a consumer has the right to request that the business delete PI that the business has collected about the consumer, subject to certain exceptions. Business must provide consumers with notice that they have this “right to be forgotten.”
Prior to a sale of a consumer’s PI, businesses must provide notice to the consumer regarding the proposed sale of the consumer’s PI and, upon request, the categories of PI to be sold. Business must also provide consumers with the opportunity to opt out of the selling of their PI. Such notice to opt out must be provided on a clear and conspicuous link on the company’s homepage that reads, “Do Not Sell My Personal Information” that leads to a page that allows the consumer to opt out.
The bill does not restrict a business’s ability to collect or sell de-identified or aggregate consumer information, or information collected while the consumer was not in California. Additional exemptions apply to information collected by credit bureaus under the FCRA; information regulated by HIPPA or the California medical information privacy statute; and other collections/disclosures required by law.
The California Attorney General has the authority to impose sanctions against companies that violate AB 375. Fines for intentional violations of the statute may be as high as $7,500 per violation. In addition to the civil penalties assessed by the state, consumers have a private right of action against businesses who expose a consumer’s PI to a data breach involving the “unauthorized access and exfiltration, theft, or disclosure…” of PI, “…. as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information…”. Damages available for a plaintiff in such an action are monetary damages up to $750; injunctive or declaratory relief; and any other relief the court deems proper.
California has long been a leader in enshrining its citizens’ privacy rights into law. AB 375 extends this right of privacy to consumers’ personal data and its collection and sale. The law, as currently enacted, is a bit confusing and its actual effect on the businesses within its ambit unclear. As mentioned at the outset of this piece, however, businesses should focus on AB 375 as a model for what to expect in terms of legislative regulation of consumer data, in California and on a national level.