It didn’t take long.
On June 28, 2018, just more than a month after the EU’s General Data Protection Regulation went into effect, imposing broad obligations and restrictions on any entity collecting personal information of EU citizens and residents, the California legislature has passed AB 375, and the governor has signed, the California Consumer Privacy Act of 2018, providing many of the same protections and sure to upend privacy regulation in the United States.
The Act goes into effect on January 1, 2020, and while it has broad implications that will become more apparent over time, there are some key initial takeaways:
- The Act applies to all personal information, which is broadly defined, not just information collected electronically or collected directly by a firm. Companies will need to consider all of their data acquisition functions, and conform their practices to the Act.
- The Act defines “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Significantly, personal information explicitly includes a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers. And, particularly significant in light of this week’s Supreme Court decision, it includes geolocation data. This is a far-reaching extension of how personal information has been defined in the United States for privacy purposes.
- The Act would grant a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.
- The Act includes a private right of action, allowing consumers to seek damages for certain categories of unauthorized disclosures.
- Business will be required to make disclosures about the information and the purposes for which it is used.
- Consumers will have the right to request deletion of personal information and would require the business to delete upon receipt of a verified request.
- Consumers will have the right to opt out of the sale of personal information by a business, and businesses will be prohibited from discriminating against the consumer for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data.
- The Act will protect California citizens, and apply to any company that has annual gross revenues in excess of $25,000,000, alone or in combination, or annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices, or derives 50 percent or more of its annual revenues from selling consumers’ personal information. You should note that these tests are in the alternative, and that it will include many smaller companies.
These are only a few of the provisions of the Act, but it is clear that it has the potential of impacting companies throughout the nation. Just as California’s initial breach notification act, adopted in 2002, radically changed the privacy landscape, the California Consumer Privacy Act of 2018 is likely to have as important an impact.
The authors of the Act recognize that it will require additional clarifying regulation to implement, and the Act itself authorizes the Attorney General to issue opinions on the scope of the Act.
While the ink on the Act is still wet, it seems clear that the Act reflects many of the requirements of the EU’s General Data Protection Regulation, and complying with the GDPR will put companies at a competitive advantage against those who wait.
The JMBM Cybersecurity and Privacy Group has worked with dozens of companies to establish procedures and policies to achieve GDPR compliance. For additional information, contact Bob Braun (email@example.com, 310.785.5331) or Mike Gold (firstname.lastname@example.org, 310.201.3529).
Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.
JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.