Facebook has recently chosen to no longer fund opposition to the California Consumer Privacy Act, which could appear on the California State Ballot as an initiated state statute on November 6, 2018. According to the petition summary the potential statute would:
Gives consumers right to learn categories of personal information that businesses collect, sell, or disclose about them, and to whom information is sold or disclosed. Gives consumers right to prevent businesses from selling or disclosing their personal information. Prohibits businesses from discriminating against consumers who exercise these rights. Allows consumers to sue businesses for security breaches of consumers’ data, even if consumers cannot prove injury. Allows for enforcement by consumers, whistleblowers, or public agencies. Imposes civil penalties. Applies to online and brick-and-mortar businesses that meet specific criteria.
Previously, Facebook had joined with Google, Comcast, Verizon and AT&T, with each of the companies donating $200,000. Facebook spokeswoman Rochelle Nadhiri has stated that Facebook decided to cease its contributions as “We took this step in order to focus our efforts on supporting reasonable privacy measures in California.”
Should the California Consumer Privacy Act pass it would greatly alter the privacy landscape in which companies such as Facebook do business. Below some particularly significant areas of impact are highlighted:
- Disclosure Rights: Businesses would have to disclose to consumers upon request, whether their personal information was sold and to whom.
- Consumer Opt Out: Consumers would have the right to opt out of the sale of their personal information at any time. Businesses that sell personal information of consumers would have to provide a notice that this sale is taking place that informs consumers of their right to opt out.
- Non-Discrimination: Businesses would be prohibited from discriminating against consumers who exercise their rights under the act. Businesses would not be able to deny goods or services, nor charge different rates for good or services.
- Private Right of Action for Violations of Act: Consumers would be able to sue for violation of the act itself, and recover statutory damages of $1,000 or actual damages on a per violation basis. Knowing and willful violations would raise the statutory damages to up to $3,000. Any violation of the act would be deemed an injury in fact.
- Security Breaches Can Violate the Act: A business that experiences a security breach would violate the act if the business failed to “failed to implement and maintain reasonable security procedures and practices, appropriate to the nature of the information, to protect the personal information from unauthorized disclosure.”
Should the initiative pass, here are some likely consequences for businesses:
- Understanding Personal Information Practices Becomes a Business Necessity: Businesses would require an understanding of their personal information practices to comply with the disclosure rights, and consumer opt outs, along with other portions of the act. Given the private right of action and statutory damages, failing to do so would present an untenable business risk.
- Personal Data Collection and Transfer Must Provide Value to the Consumer: Currently, business can incentivize consumers to provide their personal data by offering access to products and services. Based on the non-discrimination portion of the act, this may no longer be possible in all cases. Successful businesses will likely find ways of providing value to consumers through leveraging the consumer’s collected personal information, instead of treating the collection as a by-product of the goods or services being offered.
- Liability for Security Breaches Increases Dramatically: Since failure to provide reasonable measures to protect personal information in the aftermath of a security breach will become a violation of the act, businesses will seek ways of demonstrating that such reasonable measures are being taken before any security breach occurs. It is likely that this could further spur the use of software as a service type services that can provide some of these measures in a configurable product that meets business needs. However, nothing will substitute for the business having taken a holistic view of how its products and services function with regard to collecting, using, and transferring personal data.