Earlier this year I published an article called “Stop the Hype! The California Consumer Privacy Act of 2018 is not at all like the GDPR.” The article criticized fearmongering surrounding the ballot initiative that was the California Consumer Privacy Act of 2018, and called out incorrect reports that California was enacting its own version of the GDPR. It explained that while the proposed ballot initiative contained misguided privacy requirements, few of those requirements had any analog within the GDPR. It argued that comparing the ballot initiative to the GDPR was wrong because it caused people to overlook the real threats from the ballot initiative – (1) a prohibition that would have stopped companies from offering free versions of their services (e.g., free apps) in exchange for the right to market consumer information, and (2) draconian statutory damages (and relaxed rules for proving harm) that read like the Christmas wish-list of the plaintiffs’ class action bar.
On June 25, 2018, the California legislature struck a deal with the proverbial devil to avert the passage of the ballot initiative. In an unusual move the legislature drafted an alternative privacy bill which attempted to find compromise by offering proponents of the ballot initiative data privacy provisions that were substantively stronger, in many respects, than what they sought via the initiative in return for diluting (and potentially gutting) the prohibition against offering free versions of apps in exchange for the right to monetize consumer data, and removing the draconian statutory damages. Lest there be any question that the purpose of the final version – referred to as AB 375 – was to avoid the ballot initiative the authors wrote into the legislation that it would “become operative only if initiative measure No. 17-0039 . . . is withdrawn from the ballot . . . .” In response to criticisms regarding poor drafting and potential unintended consequences of AB 375, the attorney on the California Senate Judiciary Committee and the Chief Consultant to the California State Assembly Privacy and Consumer Protection Committee unabashedly sated that there were two years “for the Legislature to enact clean up legislation to correct errors in the drafting.” Passing a statute with known holes, gaps, and ambiguities, was, however, preferable to allowing the ballot initiative to go forward. From the perspective of choosing between the lesser of two evils, the proponents of AB 375 should be commended. If for no other reason than that AB 375 can be corrected by the legislature with a majority vote, whereas the ballot initiative would have been near impossible to fix or nullify.
So what ultimately came out of the drafting process? The result is a statute that is closer to the GDPR than was the ballot initiative, but is still not identical by any stretch. For example, the ballot initiative tangentially impacted three of the twelve core requirements found within the GDPR; AB 375 impacts four of the twelve core GDPR requirements directly. Specifically, like the GDPR AB 375:
- Provides a broad obligation to provide notice (i.e., privacy policies) to California residents,
- Confers upon California residents a right to access their information,
- Confers upon California residents a right to delete their data, and
- Provides for significant penalties in the event that a company fails to safeguard sensitive personal information).
The differences between AB 375 and the GDPR still outweigh the similarities, however. For example, unlike the GDPR, AB 375 does not:
- Require that businesses have a permissible purpose in order to collect information in the first place.
- Prohibit a business from retaining personal information longer than necessary to fulfill that purpose.
- Confer upon California residents a right to fix inaccuracies in their information.
- Require internal recording keeping (i.e., a data inventory) documenting a company’s compliance with AB 375.
- Require a data protection officer.
- Broaden data security obligations to extend to all information that relates to individuals.
- Broaden data breach obligations to extend to all information that relates to individuals.
- Prohibit the transfer of personal information outside of California to other countries (or, I suppose in this case states!) that don’t have similar legislation.
- Require companies to include detailed substantive provisions in their service provider contracts.
In addition to the above, perhaps the biggest difference between AB 375 and the GDPR is that the former only applies to businesses that have over $25 million in gross revenue, personal information on more than 50,000 people, or derives more than 50% of its revenue from the selling of consumer information.
To help decipher the ballot initiative, and provide a frame of reference against the GDPR, this chart compares the core requirements of the GDPR against (1) the core requirements proposed by the California ballot initiative, and (2) the core requirements of AB 375.