Both houses of the California General Assembly unanimously passed legislation — quickly signed by the governor — that creates sweeping data privacy legislation similar to the General Data Protection Regulation (GDPR) that passed in the European Union.
The bill, AB 375, was introduced by Assembly member Ed Chau, D-Monterey Park; Sen. Bob Hertzberg; and Sen. Bill Dodd, D-Napa. In a statement announcing the signing of the bill, the authors noted that earlier that week, a privacy initiative qualified for the November ballot to provide consumers with increased privacy rights. A legislative solution, unlike the initiative process, provided the opportunity to strike an appropriate balance between protecting privacy rights and the ability for tech to innovate and provide reliable services now and into the future, the statement said. AB 375 was the result of an agreement reached with the initiative proponents to move forward with a legislative solution and is a “significant step” in providing California consumers more control over their data.
The new law, known as the California Consumer Privacy Act of 2018, the bill begins by stating, “As the role of technology and data in the every daily lives of consumers increases, there is an increase in the amount of personal information shared by consumers with businesses. California law has not kept pace with these developments and the personal privacy implications surrounding the collection, use, and protection of personal information.
“The unauthorized disclosure of personal information and the loss of privacy can have devastating effects for individuals, ranging from financial fraud, identity theft, and unnecessary costs to personal time and finances, to destruction of property, harassment, reputational damage, emotional stress, and even potential physical harm.
“People desire privacy and more control over their information. California consumers should be able to exercise control over their personal information, and they want to be certain that there are safeguards against misuse of their personal information. It is possible for businesses both to respect consumers’ privacy and provide a high level transparency to their business practices. Therefore, it is the intent of the Legislature to further Californians’ right to privacy by giving consumers an effective way to control their personal information, by ensuring the following rights:
- The right of Californians to know what personal information is being collected about them.
- The right of Californians to know whether their personal information is sold or disclosed and to whom.
- The right of Californians to say no to the sale of personal information.
- The right of Californians to access their personal information.
- The right of Californians to equal service and price, even if they exercise their privacy rights.”
The new law states that consumers have the right to request that businesses that collect their personal information disclose to them the categories and specific pieces of personal information the business has collected. They also will have the right to request information about the categories of sources from which the information was collected, the purpose of collecting or selling the information, and the categories of third parties with whom the information is being shared. Businesses will have to inform consumers, before or at the point of collection, what categories of personal information they collect and the business’s purpose in collecting that information. Businesses will have to provide information about the personal information they have collected from a consumer upon receipt of a verifiable consumer request.
Consumers also will have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer. The business then would be required to comply with the request unless it is necessary for the business to maintain the consumer’s personal information to:
- “Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
- Debug to identify and repair errors that impair existing intended functionality.
- Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.
- Enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
- Comply with a legal obligation.
- Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.”
Businesses that sell consumers’ personal information to third parties must provide notice to consumers that this information may be sold and that consumers have the right to opt out of the sale of their personal information. If a consumer opts out of having their personal information sold, the business would be prohibited from selling that information and must not discriminate against a consumer because they exercised that right.
The new law defines business as “a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the state of California, and that satisfies one or more of the following thresholds:
- Has annual gross revenues in excess of $25,000,000, as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
- Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
Business would include “any entity that controls or is controlled by a business, as defined in paragraph (1), and that shares common branding with the business. ‘Control’ or ‘controlled’ means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. ‘Common branding’ means a shared name, servicemark, or trademark.”
The bill defines consumer as a natural person who is a California resident as defined in the California Code of Regulations as of Sept. 1, 2017, however identified, including by any unique identifier.
Under the new law, personal information means “means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following:
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.
- Any categories of personal information described in subdivision (e) of Section 1798.80.
- Characteristics of protected classifications under California or federal law.
- Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- Biometric information.
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
- Geolocation data.
- Audio, electronic, visual, thermal, olfactory, or similar information.
- Professional or employment-related information.
- Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
- Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”
Personal information does not include publicly available information, “information that is lawfully made available from federal, state, or local government records, if any conditions associated with such information. ‘Publicly available’ does not mean biometric information collected by a business about a consumer without the consumer’s knowledge. Information is not ‘publicly available’ if that data is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained. ‘Publicly available’ does not include consumer information that is de-identified or aggregate consumer information.”
The bill defines third party as a person who is not the business that collects personal information from the consumer or a person to whom the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the person receiving the personal information from:
- Selling the personal information.
- Retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract.
- Retaining, using, or disclosing the information outside of the direct business relationship between the person and the business.
“A person covered by (this definition) that violates any of the restrictions set forth in this title shall be liable for the violations. A business that discloses personal information to a person covered by (this definition) in compliance with (this definition) shall not be liable under this title if the person receiving the personal information uses it in violation of the restrictions set forth in this title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the person intends to commit such a violation.”
The bill further states later on that “a business that discloses personal information to a service provider shall not be liable under this title if the service provider receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider intends to commit such a violation. A service provider shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title.”
The obligations imposed under the new law will not restrict a business’s ability to:
- “Comply with federal, state, or local laws.
- Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.
- Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.
- Exercise or defend legal claims.
- Collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information.
- Collect or sell a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumer’s personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not permit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.”
If a consumer’s nonencrypted or nonredacted personal information is subject to an unauthorized access and exfiltration, theft or disclosure as a result of a business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information, the consumer may institute a civil action to recover damages of $100-$750, injunctive or declaratory relief, or any other relief the court deems proper.
“Prior to initiating any action against a business for statutory damages on an individual or class-wide basis, a consumer shall provide a business 30 days’ written notice identifying the specific provisions of this title the consumer alleges have been or are being violated. In the event a cure is possible, if within the 30 days the business actually cures the noticed violation and provides the consumer an express written statement that the violations have been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the business. No notice shall be required prior to an individual consumer initiating an action solely for actual pecuniary damages suffered as a result of the alleged violations of this title. If a business continues to violate this title in breach of the express written statement provided to the consumer under this section, the consumer may initiate an action against the business to enforce the written statement and may pursue statutory damages for each breach of the express written statement, as well as any other violation of the title that postdates the written statement.”
The consumer will have to notify the state attorney general within 30 days of the action being filed. The attorney general will then, within 30 days, do one of the following:
- Notify the consumer bringing the action of the Attorney General’s intent to prosecute an action against the violation. If the Attorney General does not prosecute within six months, the consumer may proceed with the action.
- Refrain from acting within the 30 days, allowing the consumer bringing the action to proceed.
- Notify the consumer bringing the action that the consumer shall not proceed with the action.
The attorney general will be tasked with adopting regulations to implement the new law on or before Jan. 1, 2020.
The bill states: “This title is intended to further the constitutional right of privacy and to supplement existing laws relating to consumers’ personal information, including, but not limited to, Chapter 22 (commencing with Section 22575) of Division 8 of the Business and Professions Code and Title 1.81 (commencing with Section 1798.80). The provisions of this title are not limited to information collected electronically or over the Internet, but apply to the collection and sale of all personal information collected by a business from consumers. Wherever possible, law relating to consumers’ personal information should be construed to harmonize with the provisions of this title, but in the event of a conflict between other laws and the provisions of this title, the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control.”