On June 28, 2018, California’s Senate and Assembly unanimously approved a new consumer privacy bill that, once enacted, will be the most progressive and comprehensive privacy law in the United States. The bill was quickly signed into law by California Governor Jerry Brown, only hours before a deadline to withdraw a voter initiative that sought to impose even more stringent obligations on consumer-facing companies. The bill, AB 375 (also known as the California Consumer Privacy Act of 2018), will reach far beyond California’s borders to give California consumers more visibility and control over their personal information. The law does not take effect until January 1, 2020, leaving plenty of time for changes.
As a general matter, similar individual rights exist in the United States only for particular types of regulated data (e.g., protected health information regulated by HIPAA or consumer credit information regulated by the FCRA). Rights have also been granted to individuals when, for example, a business has decided (for its own business purposes) to permit consumers to access or request deletion of their data. The new law confers these rights more generally with respect to California consumer data and, in this regard, moves California law in the direction of the generally applicable privacy laws that have applied in non-US jurisdictions for years, including Europe’s now 1995 Data Protection Directive (recently superseded by General Data Protection Regulation), Japan’s 1995 Act on Protection of Personal Information, and South Korea’s Personal Information Protection Act.
As the world’s fifth largest economy and home to the world’s leading technology companies, the new law will have implications that extend well beyond the state’s borders. Not unlike Europe’s GDPR, which required compliance efforts from companies around the world, the new law will require compliance efforts from business across the US and, indeed, around the world, to the extent they do significant business in California and collect data from California consumers.
Enhancing Consumer Rights
The new law gives consumers much broader access and control over their information. A California consumer will be able to access the categories and specific pieces of personal information collected by a covered business, including information about where the business collected the personal information from, the business’s purpose for collecting or selling the personal information, and the categories of third parties with whom the business has shared or sold the personal information. The law also recognizes a right of data portability. In particular, it provides that, where the business discloses the information to the consumer electronically, it should be provided where feasible in a readily usable format that allows the consumer to transfer the information to another entity without hindrance. See Cal. Civ. Code § 1798.100 et seq.
A consumer also will have the right to require deletion of their personal information, except in limited circumstances such as where the business needs the information to complete the transaction with the consumer or for internal purposes that would be consistent with the consumer’s expectations.
In support of the consumer’s broad rights, the law codifies an expansive definition of “personal information” that includes any information that identifies, relates to, describes, is otherwise capable of being associated with the consumer or could reasonably be linked to the consumer. This includes common identifiers such as name, address, email address, social security number, driver’s license numbers, geolocation data, and education and employment information. It also includes less familiar identifiers such as purchase histories, consumer tendencies, information about internet activity, or any inferences drawn from any such information. This definition goes beyond those in existing privacy laws in California and other states, which typically define personally identifying information as requiring a combination of identifiers, such as financial account information with a corresponding password.
A business will have 45 days to respond to the request, although there is a possibility of obtaining an extension under certain circumstances. The disclosure to the consumer will need to cover the preceding 12-month period, and businesses will be required to respond to requests from a particular consumer twice in a 12-month period, although they obviously could choose to provide additional disclosures in their discretion.
The law will allow consumers to opt out of the sale of their personal information and will prohibit a business for discriminating against or offering inferior products/services to the consumer for exercising this right. The law also will prohibit a business from selling the personal data of a consumer under the age of 16, unless the business has been authorized to do so as a result of an affirmative opt in.
Businesses will have to think through and prepare how they will receive and respond to requests from an operational and data security perspective. The law will require that businesses respond to all requests that are “reasonably verifiable,” but it only includes one example of a reasonably verifiable request. In particular, a request submitted through a password-protected account maintained by the consumer with the business while the consumer is logged into the account is considered a verifiable request. The California Attorney General will solicit public participation and promulgate regulations regarding methods to determine reasonable verification of requests before the law goes into effect. We anticipate public participation to be robust and for this area to be particularly scrutinized.
The law does include some carve-outs. A business with single, one-time transaction with a consumer from which information is not sold or retained will not have obligations under this law. If a business’s data is not sufficient to qualify as personal information, the business will not need to attempt to re-identify or otherwise link any data that is not maintained in the ordinary course of business to determine whether personal information exists. Lastly, a business that collects information through commercial conduct that takes place entirely outside of California will not be restricted under the law in its collection or sale of consumers’ personal information.
Application and Enforcement
The new law will extend beyond California’s borders, including to businesses located in other state or other countries provided that they do business in California. Specifically, it will apply to any entity that conducts business in California that (a) has annual gross revenues over $25,000,000 (subject to some adjustments under the law); (b) buys, receives, sells or shares personal information of 50,000 or more California consumers annually; or (c) derives 50 percent or more of its annual revenues from the sale of the personal information of California consumers. If such a business controls or is controlled by another entity and shares common branding, that entity will also be covered by the law.
Any business that does not comply with the requirements of the law will be subject to civil suits, including the potential for class actions, as well as enforcement action from the California Attorney General. Thus, businesses must hone in on policies and procedures for not only their overall data privacy and security measures but also how they will ensure the consumer requests they receive are legitimate and that disclosures are provided to the appropriate consumer.
The law is intended to apply in parallel with other federal, state or local laws. It will not apply in situations where compliance would conflict with a business’s obligations under federal, state or local laws. It also will not apply to privileged information or to information governed by the Health Insurance Portability and Availability Act of 1996 as well as several other instances enumerated in the bill.
The California Consumer Privacy Act law is expected to be scrutinized and amended before it goes into effect in 2020 as stakeholders are reviewing the implications of the bill and the Attorney General solicits public participation. McDermott will continue to monitor regulatory developments. If you would like assistance in preparing for the change in data privacy and security requirements, please contact Michael Morgan or your regular McDermott lawyer.