Rebekah Mackey, Taft summer associate, contributed to this article.
Just months after the European Union’s General Data Protection Regulation, or “GDPR” changed the landscape of data privacy around the globe, California reaffirmed its position as the United States pioneer of consumer-friendly data privacy protections with the state legislature’s passage of Assembly Bill No. 375.
The California Consumer Privacy Act (“Act”) was originally a ballot initiative to be voted on by California residents in November, but the fate of the policy changed course rapidly when AB 375 passed within one week of being introduced in the state’s legislature. Here are some of the key provisions of which businesses and consumers should be aware when the law goes into effect Jan. 1, 2020.
- Who Must Comply? For-profit businesses that do business in California and collect or determine the use of personal information from consumers and either (1) have an annual gross revenue of over $25 million, (2) buy, sell or share personal information of 50,000 or more consumers, households, or devices for commercial purposes, or (3) derive 50% or more of its annual revenues from selling consumers’ information.
- What is considered personal information? Any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The Act includes a non-exhaustive list of what personal information includes, spanning from identifiers such as names, aliases, addresses, email addresses, account names or driver’s license numbers, internet activity and geolocation information, biometric information, and even “inferences drawn from any information” used to create a consumer profile.
- What rights will California residents have? Consumers can request that a business disclose the categories and specific pieces of personal information that have been collected, and also request disclosure on how the personal data is used, shared or sold to third parties.
- Consumers can request that a business delete their personal information from records maintained by the business or a service provider, and the business must comply except in certain circumstances. Some of these carve-outs include when the data is needed to complete the transaction, is used for certain internal analytics, or must be stored to comply with a legal obligation.
- Consumers can prohibit a business from selling their personal information to a third party, and a business that sells consumer information to third parties must notify the consumer of their right to opt out by a clear and conspicuous link on the business’s webpage.
- Consumers have the right to not be discriminated against when exercising their rights under the Act and cannot be denied goods or services, charged different prices not reasonably related to the value provided to the consumer by the consumer’s data, or be provided a different level or quality of goods or services.
- How will the Act be enforced? The California Attorney General has the power to enforce the statute, and a business can be liable for up to $7,500 per violation. The Act also provides for a private right of action for a breach of unencrypted or unreacted personal information, which can result in actual or statutory damages of up to $750 per consumer, whichever is greater. Consumers must first provide a business written notice of the allegations, and the business has a right to cure. If the business fails to cure the alleged violations, then the consumer may proceed with filing the action and must notify the Attorney General of the lawsuit within 30 days of filing. The Attorney General then has the discretion to either prosecute the action, allow the consumer to proceed or bar the consumer from proceeding.
- How does this affect businesses outside of California? The Act only protects California residents, but if a business located outside of the state “does business” in California and meets the above criteria, then this new legislation will have an impact on how the company handles and uses consumer data. Preparing technology infrastructure and procedures sooner rather than later will ensure that businesses are in compliance with the law and can promptly respond to consumer requests when the law goes into effect.
Many have said the Act has a great deal in common European Union’s sweeping reforms but there are some notable differences between the Act and the GDPR rights for data subjects. California’s law embodies the American consumer law staple of “opting out” of certain actions after the information has already been collected. This is in stark contrast with the GDPR, which more commonly requires consumer notice and consent to collect personal information. Therefore, businesses will be able to collect personal information as before, but now consumers can have more control over their personal information, provided they choose to exercise it.
While this is a victory for privacy advocates, there have been several reports that the landmark legislation will likely be amended in coming legislative sessions in light of criticism from some of California’s largest tech companies. The final outcome is still years away, but this bold step in consumer privacy protection will likely ignite further discussion throughout the country’s legislatures on how personal information is collected, used, stored and sold.