California sets the standard for the rest of the country in a lot of areas—now, we can add privacy regulation to the list, as discussed by my colleagues Richard S. Eisert and Gary A. Kibel in a recent Davis & Gilbert client alert. This summer, California passed a bill known as the California Consumer Privacy Act of 2018, imposing rigorous privacy-related obligations on entities that do business in the state. Some have called the act “GDPR-light” since it implements some concepts similar to those in the new European law.
The California law was thrown together in a hurried effort by the legislature to head off an even more restrictive ballot initiative. That initiative had broad public support and enough signatures to appear on the November ballot. Its sponsors agreed to withdraw it, however, if the Consumer Privacy Act was put in place by the end of the June.
Like GDPR, the new law is going to have effects far beyond the jurisdiction in which it was passed. It applies to any companies that do business in the state and meet certain gross revenue standards; buy or receive personal information of 50,000 or more consumers, households, or devices; or derive half or more of their annual revenues from selling consumers’ personal information. The law gives consumers fairly powerful new rights and controls over their personal information (which is defined broadly to include search histories and geolocation data), in the following ways:
- Access: Consumers have a right to request that businesses disclose the personal information that they collect, the sources of that information, the business purposes for collecting it, and the third parties with which the information is shared. Requests must be honored within 45 days, with possible extensions.
- Deletion: Consumers can request that businesses delete personal information about them.
- Portability: Consumers have a right of portability to receive their personal information from the business and take it elsewhere.
- Sale Opt-Out: With narrow exceptions, if a business intends to sell the personal information of a consumer, the business must provide notice and an opportunity to opt-out.
- No discrimination: The statute prohibits businesses from discriminating against consumers that have opted out, including by charging them a different price or providing them a different quality of goods or services, except if the difference is reasonably related to the value provided by the data. The wording of the law on this point is less than clear. It also suggests that businesses can offer financial incentives to consumers for the collection of their personal information.
- Personal Information of Children: The Act prohibits businesses from selling personal information of a consumer under 16 years of age, unless affirmatively authorized via an “opt in.”
- Financial Damages: The Act provides a limited private right of action for consumers in the event of a data security breach.
There are numerous other requirements under the law, many of which will be new concepts to companies doing business in the U.S. The news is not all negative for businesses, however, as there is an ability to cure any deficiencies and to escape liability for certain third-party service providers if proper controls are put in place. Also, critically, the provisions of the law do not take effect until January 1, 2020.
The Way I See It
- California’s privacy regulations will be disruptive, but businesses should not panic. The delayed implementation means that this bill is, in effect, a rough draft, leaving time to work out problem areas in the hastily written law.
- While the “GDPR-lite” designation makes sense, this law covers less territory than the transformative General Data Protection Regulation. It does not touch, for instance, broad data processing rules and other issues that extend beyond consumer rights.
- With this law, California is setting standard for rest of the nation. The legislation did not result from deliberative process, however, and it remains to be seen whether other states will adopt California’s approach or come up with their own approaches to consumer control over personal information.