New California Data Law

California has been a trendsetter for data privacy legislation in the United States for years now, and its most recent data privacy law is once again the first of its kind.

The California Consumer Privacy Act of 2018, or AB 375, provides new consumer rights over commercial data collection and use and will go into force in January, 2020. There are obvious parallels with rights contained in the E.U.’s General Data Protection Regulation (“GDPR”), and while AB 375 is not as comprehensive, its definition of personal information is much broader.

The law applies to businesses that collect and process the personal information of consumers and (1) have an annual gross revenue of over $25 million dollars, (2) buy, sell, receive, or share the personal information of 50,000 or more individuals, households, or devices; or (3) collects 50% or more of its annual revenue from selling consumer information. 

Important provisions include:

• Collection and Sale Disclosures to Consumers: On request, a business must disclose what personal data they collect, the source of the data, why the data was collected, and what specific data the company holds about the consumer. They must also disclose what personal data they share or sell and the categories of third parties they share or sell that data to. The description of third parties by category was a change from the original text, which would have required specific identification.

• Opt-Out and Sale Restrictions: Businesses that sell consumer data have to allow consumers an option to opt-out of sale, which will prevent the company from selling the consumer’s personal data. This option needs to be provided through a prominent link on the company’s webpage, in its privacy policy, and in any California specific description of consumer rights.  Third parties also may not sell personal data they purchased unless they give notice and allow the consumers to opt-out. Finally, there are also sale restrictions for any personal data collected from children under 16.

• Deletion, Access, and Transfer Requests: On request, companies have to delete any personal information they hold about that consumer and direct any of their service providers to do the same unless a particular exception applies. They may also be required to provide the data they’ve collected directly to the individual in a usable form, allowing the consumer to transfer that data to other entities.

• Non-Discrimination: Companies have to provide equal service to all consumers regardless of whether they exercise any of these rights, and there cannot be any denial or degradation of service or other discriminatory treatment. While companies can offer financial incentives like a lower rate or discount to consumers that allow collection or sale of their data, the amount must be directly related to the data’s value.

• Enforcement and Penalties: The law will be enforced by the California Attorney General and penalties can cost up to $7,500 dollars per violation.
• Private Right of Action for Data Breach: Some States allow a private right of action if a business violates a breach notification statute, but do not address liability for the actual breach. AB 375 changes this and allows affected individuals to sue if a data breach compromises their personal information and the company holding that data failed to take reasonable measures to protect it. The amounts can be between $100 and $750 per consumer per incident, which could quickly add up in a mass breach, or actual damages, which are usually quite difficult to prove.

The California legislature, Attorney General’s office, and industry players have a year and a half to consider amendments and enforcement.  Although AB 375 is under intense scrutiny and is quite unpopular among larger tech, marketing, and data analytics firms, it was proposed and passed with little actual opposition.  Many companies supported the bill in order to avoid an even more strict ballot initiative that could be presented directly to voters, which would have been far more difficult to amend.  This law was the lesser of two evils for many tech firms, and the lack of opposition suggests many firms considered these changes inevitabile due to widespread consumer frustration and desire to have some control over the collection and use of personal data.  As with breach notification statutes that emerged over fifteen years ago, we can expect other States will start considering similar legislation, and these California consumer rights may very well become the new normal across the country. Businesses across the United States should keep a close eye on how this law develops and what results follow once it comes into force.

Visit our Cyber Law blog for more interesting updates on how the law is developing with the change and growth of technology. Have any questions or comments? Contact our Sioux City, Sioux Falls, or Omaha office today!