The California Consumer Privacy Act of 2018, regarded as the most comprehensive privacy law in the United States, was unanimously passed by the California legislature and signed into law by governor Jerry Brown on June 29, 2018. The bill (AB 375) was fast-tracked through the State Senate and Assembly in a rush to defeat an even stricter privacy ballot initiative, which was introduced by Californians for Consumer Privacy. After weeks of intense negotiations with technology companies, Californians for Consumer Privacy agreed to withdraw the initiative if AB 375 was signed into law.
The new law, which takes effect January 1, 2020, is a reactive measure to recent privacy and data breaches, including the Cambridge Analytica scandal, and governs the use of California consumers’ data by larger companies. Businesses are required to disclose the categories of information to be collected prior to collection, as well as the identity of third-parties that are allow to access that information. Consumers also have the right to request the data that has been collected on them and may also request that the data be deleted. While consumers over 16 years old may opt out of having their data sold to third-parties without being penalized, businesses are prohibited from selling data collected from consumers under 16 years old unless these underage consumers affirmatively opt-in. The bill also gives California consumers the right to sue for up to $750 in the event of a data breach involving non-encrypted personal information due to the failure to implement and maintain reasonable security procedures and practices.
While this California law is the strictest in the nation, it is less restrictive than the EU GDPR. For example, the GDPR requires consumers opt into, or give consent, by “clear affirmative action,” prior to the collection of personal data, whereas the California law only requires disclosure prior to the collection of personal data and allows them to opt-out of the sale of personal data. Most importantly, the GDPR requires any business that offers goods or services to consumers in the EU and collects any personal data from those EU residents to comply with the GDPR, while the California law only applies to companies that do business in California and satisfy one of the following criteria: (1) have an annual gross revenue exceeding $25 million; (2) in connection with a commercial purpose, annually buy, receive, sell, or share the personal information of 50,000 or more consumers; or (3) derive 50% or more of its annual revenues from selling consumers’ personal information.
The California Consumer Privacy Act may not remain in final form as passed. Tech companies have already expressed their desire to lobby legislators to change certain provisions of the law which they believe will result in unintended consequences. Lawmakers are expected to make amendments to the bill over the course of the next 18 months.
Conkle Kremer & Engel will continue to monitor the status of the California Consumer Privacy Act and will report on changes to the final version of this law, if any. CK&E has many years of experience advising clients about regulatory compliance issues they face, and helping them prepare for foreseeable changes in the law.
JUN