On June 28, California passed a sweeping data privacy law after only one week of work. Unless AB 375 (the California Consumer Privacy Act of 2018) is amended before its January 1, 2020, effective date, the law will be the strictest data privacy law in the United States, and will require data privacy protections and requirements similar to or broader than those imposed by the European Union General Data Protection Regulation that became effective on May 25, 2018.
The California legislature acted quickly to avoid a citizens’ initiative sponsored by Californians for Data Privacy from appearing on the November ballot. With the passage of AB 375, the initiative sponsors agreed to withdraw the initiative from the ballot.
By passing the bill (and avoiding the possible passage of the citizens’ initiative), the legislature bought time to review and amend the law before its 2020 effective date. If the initiative had passed, amendments would have required either a 70 percent super-majority in each house of the legislature, or approval by two-thirds of voters.
The law applies to for-profit businesses that do business in California and either:
- Have annual gross revenue of $25 million or more;
- Collects, sells or shares for commercial purposes the personal information of at least 50,000 consumers, households or devices; or
- Derives at least 50% of its annual revenues from selling consumers’ personal information.
The law also applies to affiliated, co-branded entities of businesses that meet the above criteria, even if the affiliate doesn’t do business in California.
As written, the California Consumer Privacy Act of 2018 requires the following:
1. Transparency of Data Collection and Processing
In a manner similar to the European Union General Data Protection Regulation, businesses that collect or sell the personal data of California residents will have to provide information to the individuals about:
- the categories and specific pieces of personal data that the business has collected or sold,
- the categories of sources from which the data was collected,
- how the data will be used, and
- to whom the data will be disclosed.
Business will be required to identify at the time of data collection the personal data that’s being collected and how it will be used. Once an individual’s personal data has been collected, the business cannot use the information for a different purpose without notifying the individual.
Businesses will be required to provide a copy of the collected data to the individual in a portable data format (where technically feasible).
There are limited exceptions for personal data that’s collected for a single, one-time transaction, if the business doesn’t sell, retain, re-identify or otherwise link the data.
2. Right to be Forgotten
Unless an exception applies, a business must delete the personal data of a California resident on request.
Some of the exceptions are for data that is necessary for the business to:
- Complete the transaction for which the data was collected
- Detect or protect against security incidents or illegal activity, or prosecute individuals responsible for illegal activity
- Identify and repair errors that impair intended functionality
- Comply with laws and legal obligations
3. Notice and Opt-Out
A business that collects or buys personal data of a California resident cannot resell that information to a third-party unless the individual has received notice of the proposed sale and an opportunity to opt-out. There are more restrictive requirements if the data relates to children under age 16.
4. “Freemium” Limits
A business cannot refuse to provide goods or services to individuals that exercise their privacy rights. However, the business can charge different prices or provide a different level service to individuals based on their privacy selections, but only to the extent that the difference is “reasonably related to” the value provided by the individual’s data.
If the business offers financial incentives for consumers to provide personal data, the business must notify individuals of the financial incentives, the consumer must expressly opt-in to the program, and the consumer must be able to opt-out at any time.
Other than the bill’s sponsors, nobody seems to like AB 375.
Nicole Ozer, the Technology and Civil Liberties Director of the ACLU of California, describes AB 375 as “a law that utterly fails to provide the privacy protections the public has demanded and deserves,” and as a law that was “hastily drafted and needs to be fixed.”
On the other side, Robert Callahan, Vice President of State Government Affairs for the Internet Association, released a statement pointing to the need to “correct the inevitable, negative policy and compliance ramifications this last-minute deal will create for California’s consumers and businesses alike.”
Let the games begin!