The California legislature passed one of the nation’s strictest data privacy rules on June 28, creating a watershed moment in U.S. data privacy reform. The California Consumer Privacy Act of 2018 (AB-375) gives Californians several specific rights to control the movement of their personal information, including the right to know what is being collected about them and what is being sold and re-disclosed, and the right to prevent the sale of their personal data.

The passage of this law will substantially impact the data use policies of major technology companies and retailers, and could serve as a catalyst for federal data privacy legislation. It also creates a private right of action for data breaches that result in disclosure of personal information, without any requirement of proof of harm. This could lead to a flood of new class actions arising out of data breaches. Unless the Act is changed by subsequent legislation or a new successful ballot initiative, the law will go into effect on January 1, 2020.

What Does the Law Do?

  • Directs companies to make disclosures about the information they collect from consumers and their business purposes for the data collection.
  • Grants consumers the right to request deletion of their personal information through a “verified request” and to opt out entirely from the sale of their personal information.
  • Companies are prohibited from discriminating against consumers for exercising any of these rights. However, the law does allow companies to offer financial incentives for collection of personal information.
  • Prevents businesses from selling the personal data of online consumers under the age of 16.
  • Makes it easier for consumers to sue companies following a data breach.

The legislation includes an expansive definition of “personal information,” including identifiers such as IP addresses, internet or other electronic network activity information such as browsing history and search history, geolocation data, and any inferences drawn from these data to create a profile about a consumer’s preferences, behavior, or characteristics.

Heading Off a More Sweeping Ballot Initiative

This legislation was fast-tracked to preempt a ballot initiative backed by Californians for Consumer Privacy, a coalition of consumer protection and advocacy organizations, which was picking up support ahead of a November vote (the ballot initiative has since been withdrawn). There are a few substantive policy differences between the two. For example, under the ballot initiative, companies would not be able to deny a consumer service if they opt out of certain data uses. The AB-375 legislation does allow companies to offer different tiers of service, as long as the difference in tiers is reasonably related to the value provided to the consumer by the consumer’s data. The precise meaning of these terms will likely be hashed out in court.

The new legislation’s private right of action authorizing consumers to sue is also significantly more restrictive than the expansive mechanism proposed in the ballot initiative, which many feared would fuel a surge in class-action litigation. The ballot initiative would have allowed consumers to sue not only for violations of the law's requirements, but also for data breaches involving the consumer's information, and provided statutory damages of $1,000 to $3,000 per violation.

The ballot initiative also expressly provided that any violation of the statute would constitute an "injury in fact”—an evident attempt to ground standing in federal courts under Spokeo, Inc. v. Robins. As explained further below, the new legislation, by contrast, limits the statutory damages available for violations, while also giving companies the right to cure alleged violations before being hauled into court.

Unlike the ballot initiative, the law does not expressly provide that violations automatically constitute “injuries in fact,” which benefits companies seeking to argue that “harmless” or “technical” violations should not create standing in federal court to enforce the law.

Implementation and Enforcement

Companies will be required to clearly post a link titled “Do Not Sell My Personal Information” that allows a consumer to opt out of the sale of the consumer’s personal information. Separate or additional homepages for California-based residents are permissible as long as the company takes reasonable steps to redirect California residents to that specific page. Upon receiving a verifiable request, companies must deliver any collected “categories and specific pieces of personal health information” to the consumer within 45 days.

As mentioned above, the law creates a private right of action for consumers to sue based on the unauthorized access, disclosure, or theft of their non-encrypted or non-redacted information “as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” The new legislation provides for statutory damages of $100 to $750 per violation, unless the consumer suffered “actual damages” exceeding that limit. Importantly, “actual damages” are not a prerequisite to bringing suit.

Before filing a class action or individual suit for these statutory damages, the consumer must provide the company with 30 days’ written notice of the specific violations alleged. If the business “actually cures” the alleged violations within 30 days, the consumer is barred from bringing suit. Within 30 days of actually filing an action, the consumer must notify the California Attorney General. The legislation essentially gives the Attorney General a “first right of refusal”: the consumer may only proceed with the suit if, within 30 days, the Attorney General declines to prosecute the action.

The law does not contain a private right of action for violation of its restrictive opt-out provisions, but it does create a new private action for data breaches resulting in disclosure of personal information. In such cases, aggrieved consumers can sue even without proof of harm. This potentially expands considerably the potential class action risk for data breaches in California. Previously, under California’s Data Breach Notification Law, companies had a duty to notify California residents who had become victims of data breaches, but did not attach potential damages to the failure to prevent such breaches by third parties.

That said, companies will have potential defenses against liability under the new law based on the requirement that the breach or theft of consumers’ information be “the result of” the company’s failure to implement “reasonable security procedures” that are proportionate to the “nature of the information” at issue.

In addition to enforcement duties, the Attorney General is also directed to create additional regulations implementing the legislation, kicking off what will undoubtedly be a long process of public input from both consumer groups and industry.

Enhanced Privacy Protections Around the Globe

The legislation bears some similarities to the European Union’s General Data Protection Regulation (GDPR), particularly the transparency requirements, the right to request deletion, and a strict data breach regime.

Considerations around overlap with the Asia-Pacific Economic Cooperation (APEC) Privacy Framework and the APEC Cross-Border Privacy Rules (CBPR) system will also be important. Companies will be looking for assurances that they can move data across borders both within the US, across the Asia-Pacific region and with the E.U.

What’s Next?

Industry groups are already mobilizing on efforts to reform the legislation, which many see as overly restrictive and difficult to implement for internet economy business models. TechNet, a national coalition that has been fighting against the ballot initiative for some time, stated that “even [the legislation’s] authors have acknowledged it is far from perfect and will need revisions in the months ahead as its consequences and workability are better understood.” Over the next two years before the law goes into effect, we’ll likely see companies engaging in heightened state, federal and international lobbying efforts, working out the overlaps and differences between this California legislation and other privacy regimes like GDPR and the APEC CBPRs and rapidly moving to revise their privacy policies and practices.