On June 28, 2018, the California state legislature voted to approve Assembly Bill 375, the California Consumer Privacy Act of 2018 (the “Privacy Act”). The Privacy Act, which mandates several similar requirements to the General Data Protection Regulation (“GDPR”) that took effect in late May in the European Union, will have a substantial impact on the way companies store, share, disclose, process, and engage with consumer data in the United States. The Privacy Act will take effect on January 1, 2020.
The Privacy Act applies to any company that collects information of California residents. Additionally, a business must meet one of the following three conditions: 1) have $25 million or more in annual revenue, 2) possess the personal data of more than 50,000 “consumers, households, or devices,” or 3) earn more than half of its annual revenue selling consumers’ personal data. An IAPP report estimated that the Privacy Act will apply to more than 500,000 U.S. companies, and as such, this will create a de facto standard for all companies that operate in the United States.
Although not entirely clear, the statute also may apply to non-U.S. companies that collect and process Californians’ personal information.
The Privacy Act mandates that businesses must disclose what private consumer information they collect, for what business purpose the information is collected, and any third parties with whom the information is shared. California consumers will be able to request that the company delete their personal data and can opt out of their data being sold. The law is unclear on the extent to which businesses can differentiate among consumers who consent to the sharing of their information and those who do not. On the one hand, the law prohibits businesses from retaliating by changing the price or level of service, but, on the other, “[t]he [act] would authorize businesses to offer financial incentives for collection of personal information.”
The Privacy Act provides for a private right of action by consumers for between $100-$750 per violation in statutory or actual damages if the company has failed to cure any alleged violation after 30 days (if the violation can be cured). The California Attorney General will also be permitted to enforce the Privacy Act.
Under the Privacy Act, any businesses that collect personal data from California residents must drastically change their data collection and privacy standards. Businesses will need to prepare internally for responding to consumer requests for access or deletion of their information and to requests to opt-out of having their information sold. Also, businesses will likely need to update their external privacy policies to ensure that consumers can adequately exercise their newly-granted rights and must tighten vendor management and controls. Those businesses that are heavily reliant upon analyzing data will also need to ensure they have adequate technological capabilities to de-identify personal information.
While inspired by GDPR, the Privacy Act implements several key provisions that are notably different from the GDPR. For example, the Privacy Act:
- Maintains an opt-out approach for personal data (where consumers need to actively request that their data not be collected or sold) as opposed to the opt-in regime (where data subjects must affirmatively grant consent for selected individual usages of certain data) mandated under the GDPR;
- Specifies the communication channels businesses must make available to consumers (including at a minimum a toll-free telephone number and a website address), as opposed to having the freedom to choose those channels under the GDPR so long as they are cost-free to the consumer/data subject;
- Provides for certain rights, including data access, without allowing for quite the same exceptions as GDPR. Conversely, the right to deletion under the Privacy Act is more limited than under the GDPR, as the California law expressly acknowledges that First Amendment and related considerations may limit a business’s obligation to delete personal data.
Governor Jerry Brown signed the bill into law on June 28. However, given the length of time until it takes effect, most observers expect intense efforts by both privacy advocates and industry to modify its provisions before the 2020 effective date. There is no doubt that several of the law’s provisions are unclear and could benefit from revision. The very possibility of further change will complicate companies’ efforts to bring themselves into compliance as the effective date approaches. At the same time, the California law’s passage may increase momentum for federal legislation that may preempt some of the state statute’s more far-reaching provisions.
One thing is for certain: California has created a dynamic that, for U.S. companies, may be even more seismic in its scope than GDPR. How U.S. industry, other states and the federal government react will bear watching in the months ahead.