Governor Brown and California legislators enacted far-reaching consumer privacy and data security protections today in a deal to avoid a deeply flawed privacy initiative being placed on the ballot for voters in November.
California Gov. Jerry Brown signed A.B. 375, the California Consumer Privacy Act of 2018 (CCPA), into law. The CCPA is the nation’s strictest consumer privacy and data protection measure. While legislators have promised “technical amendments” before the CCPA takes effect in 2020, there is little doubt that it is a better, more workable option for consumers and businesses than the consumer privacy ballot initiative would have been.
The CCPA will apply to any for-profit entity doing business in California that (1) collects consumers’ personal information (PI) solely or jointly with others, and (2) either (i) exceeds $25 million in annual gross revenues; (ii) annually transacts in the PI of 50,000 or more consumers, households or devices; or (iii) derives half or more of its annual revenues from PI sales.
The law will govern a broad swath of nonpublic information (i.e., personal information) that is more expansive than definitions of personally identifiable information and similar information categories protected under existing state law. As written, PI includes items such as IP address, commercial information, biometrics, Internet activity, geolocation, employment-related information, education information, and “inferences” drawn from any such information to create a profile reflecting consumer characteristics.
The CCPA will require covered businesses to observe an assortment of consumer rights and related notices that, in certain respects, resembles those recently codified in the European Union via its General Data Protection Regulation (GDPR). The CCPA’s new rights include:
- Right of Access. Consumers may request disclosure of the specific PI that a business has collected about the consumer.
- Right of Deletion. Consumers may request that a business delete any PI it has collected from the consumer and direct any service providers to do the same, subject to several exceptions, such as when PI is needed to complete requested transactions or services.
- Right to Know. Consumers may request disclosure of the categories and specific pieces of PI collected about them, the sources from which the PI was collected, the purpose for such collection, and the categories of third parties the PI is shared with or sold to.
- Right to Opt Out or Opt In. Consumers may opt out of any sale of their PI to third parties, and consumers under age 16 must opt in to any such sales.
- Right of Equal Service. Covered businesses must not discriminate against consumers exercising any of the above rights, including through pricing and quality of goods or services, unless different treatment is reasonably related to the value provided to the consumer by his or her data. However, businesses may offer reasonable financial incentives related to PI collection, sale or deletion.
Violations of these provisions are actionable by the California Attorney General (AG) via the state’s Unfair Competition Law (UCL) after a 30-day cure period has passed. In addition to UCL penalties, the law authorizes civil penalties of up to $7,500 per violation.
The CCPA also provides a limited private right of action for data breaches, defined as any instance in which unencrypted PI is subject to unauthorized access and exfiltrated or otherwise disclosed as a result of a violation of the business’s duty to observe reasonable security procedures and practices. The right of action has two major prerequisites: first, 30 days’ written notice to the business identifying the allegations and an opportunity to cure, and second, notification to the AG within 30 days of filing a complaint requiring the AG’s response within 30 days stating whether the AG will prosecute the matter within six months and potentially whether the consumer is not authorized to proceed. Only once these preconditions are met may the consumer proceed with his or her civil claim for the greater of statutory damages between $100 and $750 per incident or actual damages and injunctive or declaratory relief.
Today’s developments represent a significant compromise with Alastair Mactaggart, the lead sponsor of a ballot initiative that would have brought similar proposals to California voters in November. As part of the compromise, Mr. Mactaggart has agreed to pull the initiative from the ballot before today’s deadline for the Secretary of State to certify the initiative for the ballot. Though industry groups had been gearing up for an opposition to the ballot initiative, the Internet Association issued a statement saying it would not impede the bill’s enactment. Indeed, certain industry heads such as Marc Benioff of Salesforce have recently signaled support for such moves at the national level.