Over the past few weeks, California Republican lawmakers have introduced a new package of legislation called “Your Data, Your Way,” which would expand and strengthen consumer privacy rights beyond what is required by the new California Consumer Privacy Act (CCPA). The “Your Data, Your Way” package is comprised of bills that would impose new obligations on businesses, including providing consumers greater control over the use of their data, limiting companies’ storage and use of certain types of data, and notifying consumers within three days of discovering a data breach. The package consists of the following five bills:

AB 288 – Social Media Privacy:

Coined the “Own Your Own Data Act,” this bill proposes to require a social media company (defined as a company that provides electronic services or accounts, or electronic content, including, but not limited to, videos, still photographs, blogs, video blogs, podcasts, instant and text messages, email, online services or accounts, or internet website profiles or locations) to:

    • Provide users that close their accounts the option to have the users’ personally identifiable information permanently removed from the company’s database and records and excluded from sale.
    • Honor such a request within a reasonable time.

The bill would provide for actual damages, and in the case of willful violations, punitive damages, as well as reasonable attorney’s fees for the prevailing party. Injunctive relief is also available to aggrieved consumers.

“Family Green Light”:

This bill, the text of which has not yet been introduced, reportedly would require social media companies to obtain a parent’s or guardian’s permission before allowing a child under age 16 to use their platforms. A separate Democrat bill, AB 1665, has also been introduced and is outlined below. It addresses social media services, proposing to require parental consent only where the platform receives payment in connection with posting information about a minor.

AB-103572-Hour Data Breach Notification:

This bill proposes to amend California Civil Code 1798.82, California’s data breach notification law, which currently requires a business to notify affected individuals of a data breach in the most expedient time possible and without unreasonable delay. This bill requires companies to notify affected individuals of a data breach within 72 hours following discovery or notification of the breach, similar to what the EU’s GDPR requires.

AB-1395 – Smart speaker devices:

This bill, coined the “Future of Eavesdropping Act,” proposes to prohibit companies from storing voice data from a “smart speaker” (defined as a wireless speaker and voice command device sold in California with an integrated virtual assistant that offers interactive actions and hands-free activation, excluding a cell phone, tablet, or laptop computer with mobile data access, or a pager) and using it for marketing purposes. In particular, this bill would prohibit a smart speaker device or a specified manufacturer of that device from saving or storing recordings of verbal commands or requests given to the device, or verbal conversations heard by the device, regardless of whether the device was triggered using a key term or phrase.

21st Century Monopolies:

This bill, the text of which has not yet been introduced, reportedly will call on Congress and the Federal Trade Commission to consider updates to federal anti-trust laws to protect consumers.

In addition to the “Own Your Own data” package of bills, California lawmakers have also introduced the following new privacy bills:

AB 846 – Consumer Loyalty Programs:

The CCPA prohibits a business from discriminating against a consumer for exercising any of the consumer’s rights under the act, except if the differential treatment is reasonably related to value provided by the consumer’s data. This bill expresses the intent of the Legislature to enact legislation that would clarify that the CCPA does not prohibit a consumer from choosing to participate in a customer loyalty program that offers incentives such as rewards, gift cards or certificates, discounts, or other benefits. The bill would further clarify that a business that offers a customer loyalty program may continue to offer rewards, gift cards or certificates, discounts, and other benefits associated with a customer loyalty program in a manner that is reasonably anticipated within the context of a business’s ongoing relationship with a consumer.

This bill requires a business that conducts business in California, and that collects a California resident’s consumer data, to disclose to the consumer the monetary value to the business of their consumer data by posting the average monetary value to the business of a consumer’s data, including that information in its privacy policy posted on its internet website, and also including in its privacy policy disclosure of any use of a consumer’s data that is not directly or exclusively related to the service that the consumer has contracted the business to provide, as specified. The bill also requires a business that conducts business in California, that collects a California resident’s consumer data, and that sells that data, to disclose to the consumer the average price it is paid for a consumer’s data and to disclose to the consumer the actual price it was paid for a consumer’s data upon receipt of a verifiable request for that information from the consumer. This bill also establishes the Consumer Data Privacy Commission comprised of members of academia, civil society, and industry to provide guidance to the Legislature regarding appropriate metrics and methodology for determining the value of consumer data, requiring the commission to report its findings to the Legislature on or before January 1, 2021.

As we have previously reported, this bill proposes to limit websites and mobile apps from publishing a minor’s name, picture, or any reasonably identifiable information about the minor on a social media service (not defined), where the publisher is paid by a third party to do so, absent parental consent, which consent cannot be a condition of using the service. It is not clear what use cases the bill intends to address, but presumably paid publication of “likes” of brands would be covered. As discussed above, the Family Green Light bill would also require parental consent where a child is interacting with a social media service.

SB 561 – Expanding CCPA Private Right of Actions:

Senate Bill 561, announced by California Attorney General Xavier Becerra, together with Sen. Hannah-Beth Jackson (D), proposes to amend the California Consumer Privacy Act (CCPA). Most significantly, it would effectively eliminate the AG’s responsibility to provide guidance to businesses on how to comply with the CCPA while simultaneously expanding the right of class action plaintiffs’ lawyers to sue businesses for noncompliance. Moreover, SB 561 removes the right of businesses to cure a violation under the CCPA within 30 days. SB 561 would also substantially impact businesses by expanding the private right of action for any violations of the CCPA despite also removing businesses’ ability to seek clarification on CCPA compliance or to cure potential CCPA violations. For more information, see our blog post here.

Placeholders:

There are over 20 bill numbers reserved for yet-to-be introduced CCPA amendment bills.

The introduction of these new bills follows the passage of the CCPA in June 2018, an unprecedented change in U.S. data protection law which broadly regulates businesses and borrows heavily from European law. The CCPA is effective January 1, 2020, but companies will need to begin detailed data mapping and tracking of data practices as of January 1, 2019, to be able to comply in 2020 with notice and consumer request requirements that are subject to a 12-month look-back. The new law will affect all but the smallest business that have data on California residents, granting California residents the right to learn categories of personal information that businesses collect or otherwise receive, sell, or disclose about them, and the purposes therefor, as well as the categories of third parties with whom businesses disclose personal information. It also grants California residents the right to obtain more detailed information about their own personal information, on an individualized basis, and the rights to access and obtain transportable copies of their personal information, to prevent businesses from selling their personal information (i.e., commercial transfers even if monetary consideration is not involved), and, subject to certain exceptions, to request that a business and its service providers delete their personal information. A summary of the CCPA is available here, and a comparison to the General Data Protection Regulation is available here. You can find information on BakerHostetler’s CCPA compliance services here, or feel free to contact the authors. Information on the San Francisco and Los Angeles CCPA forums attended by BakerHostetler are available here and here.