What will the Act do?
Who's covered? The Act applies to companies that do business in California and that meet one or more of the following three criteria: (1) have more than $25 million in annual gross revenue; (b) buy, receive, sell or share the personal information of 50,000 or more consumers or devices; or (c) derive 50 percent or more of their annual revenue from selling consumers’ personal information.
Expansive redefinition of personal information. This Act introduces privacy protections that are similar to the GDPR in many respects. Most notably, it expansively defines personal information as any information that “identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device.” This definition of “personal information” goes well beyond the definition of existing state privacy laws and includes categories of data such as:
- Biometric data;
- Internet browsing activity (including browsing history, search history and information regarding a consumer’s interaction with a website, application or advertisement);
- Commercial information (including products or services provided, obtained or considered, as well as “other purchasing or consuming histories or tendencies”);
- Audio, electronic, visual, thermal, olfactory or similar information;
- Geolocation data;
- IP address information; and
- Inferences drawn about individuals from the data associated with them.
New statutory consumer rights
Access requests and 45 days to respond. The Act affords consumers the right to request that businesses disclose what personal information is being collected about them, how the consumer’s personal information was sold or disclosed, and the categories of third parties with whom the business shares personal information. Specifically, within 45 days from a verifiable request, businesses must disclose the personal information it collected and the personal information it sold to a third party and/or disclosed to another person for business purposes within the year preceding the request. Businesses that have sold or disclosed the requesting-consumer’s personal information must also provide the categories of third parties with whom the business shares personal information.
Right to deletion. The Act also seeks to provide California consumers with additional control over how their personal information is being used by giving consumers the right to request that their personal data be deleted and the right to opt out of the sale of the consumer’s personal information. It also places limits on selling data on users younger than 16 years of age.
Prescriptive new notice and consent requirements. To assist consumers in exercising their right to opt out, the California law requires a “clear and conspicuous” link on the business’s homepage, titled “Do Not Sell My Personal Information” unless the business has a separate webpage for California consumers and takes reasonable steps to direct California consumers to that webpage.
Additionally, businesses must post certain information online, including a description of consumers’ rights under the law and the types of personal information collected, sold to a third party and disclosed for business purposes. This information must be displayed, if applicable, in an online privacy policy or in any California-specific description of consumers’ privacy rights and must be updated annually.
GDPR and California comparisons
The Act is significantly different from the GDPR in that businesses are only prohibited from selling personal information if the consumer exercises their right to opt out of the sale of their personal information. By contrast, under the GDPR, organizations are, by default, prohibited from “processing” the personal data of data subjects unless they have an appropriate legal basis to justify the processing (e.g., a legitimate interest by the business that involves balancing the necessity to process the data for legitimate interests against the interests or fundamental rights and freedoms of the data subject).
But similar to the GDPR, the Act requires businesses to fulfill data subject disclosure requests free of charge. However, the Act gives businesses 45 days to respond instead of 30 days.
Also similar to the GDPR, the Act provides data subjects with a private right of action (discussed below) to sue for alleged breaches of consumers’ personal information. The Act also anticipates class actions; however, it does not go into detail around when class actions would be permitted.
Enforcement mechanisms and public debate
The ideas contained in the Act have gone through many prior iterations in legislative proposals. Many California-based technology leaders have publicly opposed the law with similar arguments that were posed against the GDPR before it was made into law: it will be difficult to implement, and it will be a barrier to those looking to do business in California.
Civil penalties and ambiguity. Any person, business or service provider that intentionally violates the provisions of the bill may be liable for a civil penalty. The bill provides for its enforcement only by the Attorney General with civil penalties of up to $7,500 for each intentional violation. The Act does not detail what constitutes a “violation,” nor does it define what qualifies as “actual damages.” Thus, there is no telling whether a business’s single failure to respond to a consumer’s access request constitutes a “violation” or if that failure to respond is multiplied by each category of personal information withheld or per day the request is not honored.
New private right of action with statutory penalties. The Act also provides a private action for consumers in connection with security breaches if specific criteria are met, such as the Attorney General’s refraining from acting within 30 days of notification of a consumer’s intent to bring an action. Plaintiffs are entitled to recover damages in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater. Under this statutory damage scheme, a company that suffered a data breach will be deemed to have violated the Act for each consumer affected. Therefore, the statutory damages could balloon to extremely large payouts. Consequences of the Act is that plaintiffs’ lawyers will have much greater leverage in the early stages of class action litigation and incentives to file more cases.
Broad and potentially ambiguous breach definition. A security breach is defined as “the unauthorized access and exfiltration, theft, or disclosure of a consumer’s nonencrypted or nonredacted personal information as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” Further, under AB 375, a business will have a 30-day opportunity to cure any alleged violation after notice by the Attorney General of noncompliance.
Many argue this statutory damages scheme for security breaches combined with the ambiguity of the term “violation” could ultimately cost businesses thousands per violation without taking into account whether the violation even posed any harm to data subjects since it allows for “injury in fact” violations – a common criticism of privacy statutes in the United States.
The Act is still being analyzed to determine its impact on the advertising industry and newsgathering operations of media companies. The wealthy San Francisco developer who sponsored a previously proposed ballot initiative withdrew the ballot measure after the California Legislature passed the Act on June 28 – the deadline for the initiative to qualify or to be pulled from the ballot.
Implications
Unintended consequences. Enforcement of the Act is left to the Attorney General, with the exception of the private right of action related to security provisions. It appears that the California Legislature heard the concerns of businesses and made a concerted effort to limit privacy strike suits much like those that plagued technology companies and led to the passage of the federal Private Securities Litigation Reform Act. With privacy and security breach class actions being the fastest growing category of consumer litigation, this is timely. Whether the limiting effort holds is surely to be tested because the stakes are so high for plaintiffs’ lawyers and business alike. Because the new law creates an express private right of action with damages, even with the procedural limitations, strong incentives to bring cases to court and to settle even those without merit may persist and possibly even grow.
The Act could be subject to numerous federal and state constitutional challenges as well as arguments that various federal laws preempt the law and/or that it violates the Commerce Clause, takings without just compensation, the First Amendment and more. The Act’s passage could trigger a significant shift across the country on privacy protections at the state level. A member of one leading international consultancy suggested that the Act will touch off a “tsunami of activity” even for those businesses suffering from GDPR fatigue over the last few years. Innovative data companies and any business focused on offering data-driven products and services needs to be especially wary. The Act, and the haste with which it passed, illustrates the increasing public interest on personal data and security issues and, together with the adoption of GDPR-like policies by many global companies, suggests that heightened debate, additional legislation and increased high-stakes litigation may be inevitable.
Client Alert 2018-148