BizTech Law Blog

California Enacts Sweeping Privacy Legislation

On June 28, California governor Jerry Brown signed into law the California Consumer Privacy Act of 2018. The Act will significantly impact companies (including many based outside of California) and United States legislation in the coming months, although it is unclear whether the new law will serve as an example for other states or an outlier. Importantly, the Act contains a number of "GDPR-like" features, making it the most restrictive data privacy law that the United States has ever seen.

Legislative Background

The Act was quickly pushed through the California legislature after a ballot initiative similar to the Act was certified this week. The ballot initiative was spearheaded by wealthy real estate developer Alastair Mactaggart, who spent $3 million and gained more than 600,000 signatures in support. As many news outlets have reported, it was the ballot proposal's certification this week that caused legislators to pass the bill despite significant opposition from the technology and business sectors. The Act does not go into effect until 2020. 

How Will the Act Affect Non-California Companies?

The Act's scope is broad and unique relative to others in the United States, but less so compared to the European Union's General Data Protection Regulation. The Act applies to any entity that "does business" in California that collects, processes, or causes another entity to process  consumers' personal information, and that meets any of the following three thresholds:

1. The entity has annual gross revenues in excess of $25 million dollars.
2. The entity buys, receives for a business purpose, sells, or shares for a business purpose the personal information of 50,000 or more consumers, households, or devices.
3. The entity derives 50% or more of its annual revenues from selling consumers' personal information.

Companies should recognize that the Act's second and third thresholds are particularly broad, which may become a trap for the unwary. The Act also does not define whether there are minimum activities necessary to meet the "does business in California" standard. Therefore, it remains to be seen whether, for example, a software developer with minimal users in California that earns most of its income from selling targeted advertisements will be subject to enforcement under the Act.

Major Features of the Act

The Act contains a number of requirements similar to the GDPR, but unique to United States law. There is much to unpack about these requirements, but some of them include the following. 

1. A consumer has the right to request the types of data that an entity holds on them, and how that data is used and shared. The business must verify the individual's identity before responding to the request.
2. A consumer has a right to full erasure of their information (often called the "right to be forgotten"), with limited exceptions for certain business purposes and rights.
3. Entities must disclose how they process consumers' personal information, and consumers may object to the sale of their data. Companies must also include a "Do Not Sell My Personal Information" button on their websites to make it easier for consumers to raise objections.
4. Companies may not discriminate against consumers who exercise their rights under the Act.
5. Companies that wish to sell children's data must obtain parental consent if the child is younger than 13. If the child is between 13 and 16 years old, the company must obtain express opt-in consent – i.e, not through a pre-checked box in an online form.
6. In general, penalties may be assessed up to $7,500 per violation (keeping in mind that a business may accumulate numerous violations in one enforcement action). The act also contains a private right of action, and therefore may be enforced by either the California Attorney General or a consumer through an individual lawsuit.
7. In connection with a data breach, fines are a minimum of $100 and a maximum of $750 per affected individual, or actual damages if greater. Notably, the Act provides for a fine if a breach is due to a company's failure to maintain reasonable security practices. Today, many state laws only provide for a fine for a failure to notify individuals affected by a breach.

 Cloudy Legislative Outlook Beyond California

The Act raises significant questions about the future of data privacy laws in the United States. Only time will tell whether the Act will serve as a model for lawmakers in other states (or the federal legislature), or an outlier among the current patchwork of disparate laws and regulations. Although recent rumors suggest some interest within the White House in a federal data protection scheme, many are skeptical of the likelihood for action.

As a developing story, the Act is certain to result in updated and related news that will affect companies everywhere. Stay tuned.

Categories: Cloud Computing, Did you Know?, Digital Assets, Privacy