Date: Jul 12, 2018
The law, which takes effect in 2020, applies to any entity doing business in the State of California that meets one of the following thresholds:
The Act includes a broad definition of personal information and creates rights to know what data companies are collecting, why they are collecting it, and with whom they are sharing it. In addition, the Act provides that:
As privacy is a matter of statewide concern, the Act also preempts inconsistent state, county, and municipal laws. It does not apply to the collection and use of information covered by federal laws such as the Health Information Portability and Accountability Act (HIPAA) and the Fair Credit Reporting Act, or to information collected pursuant to the Gramm-Leach-Bliley Act or Driver's Privacy Protection Act, if it is in conflict with those two laws.
While AB 375 bars businesses from penalizing consumers who exercise their rights under the Act, it permits businesses to offer financial incentives for the collection, sale, or deletion of personal information, including payments to consumers as compensation. And, as noted above, businesses are allowed to charge higher rates for goods or services to consumers who opt out, "if that price or difference is directly related to the value provided to the consumer by the consumer's data."
Importantly, the law specifies that the obligations on businesses shall not restrict their right to comply with applicable laws or legal and regulatory inquiries, cooperate with law enforcement, exercise or defend legal claims, or collect and use de-identified information. As a practical matter, most businesses must share data with multiple service providers to offer their services.
Future Rules and Actions
The Act envisions additional rulemakings to implement its provisions. For example, it contemplates new rules, within one year, to establish any exceptions necessary to comply with existing state or federal laws, and rules and procedures to facilitate consumer access requests, compliance with consumer access requests, and the development of a uniform opt-out logo or button. It is contemplated that additional rules will address required notices, procedures to verify a consumer who makes an access request, and monetary threshold adjustments, among other things, and the Attorney General is authorized to adopt additional regulations as necessary to further the purposes of the Act.
The Act includes some significant differences from the now-withdrawn ballot initiative. For example, the ballot initiative included a provision that required a 70% majority in both houses to change it after it became law, and another that provided a bounty for whistleblowers. Nevertheless, establishing a private right of action, with statutory damages, could create a bonanza for plaintiff's attorneys frustrated by legal barriers to data breach suits where no damages have been incurred.
The rush to passage to forestall the ballot initiative has already lead to suggestions that some modifications should be adopted, both by privacy advocates who think the law does not go far enough and by businesses who are concerned about restrictions, so this may not be the last word on the law. The details are important as California has often been at the forefront of expanding legislation. In 2003, for example, California was the first state to enact a data breach law, which proved to be the primary model for legislation passed by other states, all of whom now have passed data breach legislation. U.S. state data breach legislation was likewise a model for a data breach provision in the GDPR.
The sweeping provisions of California's privacy law could encourage other states, frustrated by inaction at the federal level, to follow suit. Variations in state data breach legislation creates challenges for businesses, since data breach notification triggers and obligations vary, as we have previously reported. This, in turn, may further prompt discussions about a general preemptive federal privacy law, so the state and federal privacy legislative landscape is expected to remain highly active for the foreseeable future.
For more information, contact Sheila A. Millar at email@example.com or +1 202.434.4143 or Tracy Marshall at firstname.lastname@example.org or +1 202.434.4234. Join our mailing list to receive industry specific information and invitations to seminars and webinars from Keller and Heckman LLP.