On June 28, 2018, California Governor, Jerry Brown, approved Assembly Bill 375 (the “Law”). The intention of the consumer privacy Law is to provide businesses with a blueprint on how to handle consumers’ personal data. The framework of the Law is similar to Europe’s new General Data Protection Regulation (“GDPR”). For businesses that have just finished (or are in the process of) navigating the GDPR, a similar approach will be necessary to prepare for compliance with the Law, which goes into effect on January 1, 2020.
What are the elements of the Law?
Consumer Privacy Protection
Consumer privacy protection has become a hot topic in recent years thanks to data breaches at prominent businesses, including Facebook, Uber and Equifax, and the recent Cambridge Analytica scandal. The Law was passed, in part, as a response to those consumer data events. Consumers will now have more control over their data and how businesses use it. Among other provisions contained in the Law, consumers will now have the right to: 1) request that businesses disclose the categories and specific pieces of personal information that they collect from/about consumers; 2) learn the purposes that businesses have for collecting and selling consumer information; and 3) request deletion of their personal information. Additionally, the Law further protects consumers under sixteen years of age by prohibiting businesses from selling their personal information, unless specific opt-in consent has been granted by the subject consumers.
Consumer Privacy Enforcement
The Law will be enforced by the Attorney General and provides consumers with a private right of action where a consumer’s non-encrypted or non-redacted personal information is stolen or disclosed without authorization. Consumers who bring an action under the Law will be required to notify the Attorney General within thirty days of when their actions have been filed. The Attorney General will then notify the subject businesses of the actions and allow the businesses thirty days to cure the alleged violations. If the businesses do not cure the respective violations, they can be held liable for civil penalties under Section 17206 of the California Business and Professions Code of up to seven thousand five hundred dollars ($7,500) for each intentional violation.
Protecting Your Business for the Future
The EU’s passage of the GDPR was the start of regulatory action across the world geared towards providing consumers with more meaningful control over their personal data. The United States is now starting to move in a similar direction as Europe – and when it comes to consumer privacy law, California tends to adopt some of the strictest laws in the US.
Businesses will need to become compliant with the law by 2020 in order to avoid litigation and penalties. Even though the Law will not be in force until 2020, it is important to consult with experienced counsel in the interim to ensure that all data collection, use and sharing practices are compliant with existing laws.