The Most Aggressive Privacy Law in the U.S.: Tracking the California Consumer Privacy Act of 2018

Signed into law on June 28, 2018, the California Consumer Privacy Act provides the most comprehensive and aggressive privacy law in the United States — despite being pushed through the legislative process in one week. The California State Legislature will reconvene from Summer Recess on Monday, August 6, and it is expected to reevaluate the Act before the legislative session closes on August 31. Businesses should get acquainted with the main provisions of the Act and its broader implications as legislators fine-tune this significant law — a process that can continue until the Act goes into effect on January 1, 2020.

How We Got Here

California has a unique ballot initiative process that allows citizens to pass laws outside of the traditional legislative process. At a high level, if a citizen drafts an initiative and then secures enough signatures, s/he can put the initiative on the ballot and California citizens can vote it into law. If such an initiative becomes law, it is significantly more difficult to amend than a law passed through the legislative process.

Here, a real estate developer received over 600,000 signatures for a consumer privacy initiative. The developer vowed to put the initiative on the ballot in November unless the Legislature passed a similar law. With polls suggesting that the initiative would pass if put to a vote, the Legislature passed A.B. 375, the California Consumer Privacy Act of 2018.

Will the Act Apply to Your Company?

The Act provides sweeping protections to consumers and their personal information. It generally applies to any for-profit company, and any entity that controls or is controlled by such company, conducting business in California that collects consumers’ personal information and meets at least one of the following criteria:

1. Generates annual gross revenues over $25 million.
2. Alone or in combination, receives or shares the personal information of 50,000 or more consumers, households or devices.
3. Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

The California Consumer Privacy Act – An Overview

The Act will not go into effect until 2020, and the Legislature may continue to make changes up until that point. In its current form, the main provisions of the Act include:

1. Sweeping Definition of Personal Information. The Act is much broader than other U.S. statutes that focus on specific sensitive data like Social Security numbers. The Act defines “personal information” as any “information that … could be reasonably linked, directly or indirectly, with a particular consumer or household.” An exclusion exists for publicly available information.
2. Broad Consumer Rights. The Act grants California residents a broad range of new rights with respect to their personal information. Companies are forced to accommodate these new consumer rights, including:
   1. Companies that collect personal information must disclose to consumers the categories of personal information to be collected and for what purpose they use it.
   2. If a consumer asks, companies must disclose exactly what personal information they collect on the consumer and for what purpose they use it.
   3. If a consumer asks, companies must deliver such personal information to the consumer in a readily useable format, free of charge.
   4. If a consumer asks, companies must delete any of the consumer’s personal information and direct service providers to do the same. Certain exceptions exist if the consumer’s personal information is necessary to provide the consumer a service.
   5. If a consumer opts out, companies are not allowed to sell that consumer’s personal information to third parties. (For consumers under the age of 16, companies can only sell personal information if such consumers affirmatively opt in to such use of their personal information.)
   6. If a consumer asks, companies must disclose the categories of any third parties to which personal information of the consumer was previously sold or disclosed.
   7. Consumers also maintain a private right of action if a company’s lack of reasonable security practices results in a data breach.
3. Extensive Authority of Attorney General. The California Attorney General has broad authority to promulgate regulations pursuant to the Act. Also, the Attorney General has the authority to prosecute an action against a company that violates the Act.

Additionally, the Act prohibits companies from discriminating against consumers who exercise any of their rights under the Act. However, companies can offer consumers financial incentives to collect or sell their personal information.

The Act also establishes a Consumer Privacy Fund in the General Fund and allows any business to seek the Attorney General’s opinion on how to comply with the Act.

Comparisons to the EU’s GDPR

The Act is modeled after the European Union’s General Data Protection Regulation (GDPR) — but there are meaningful differences between the two. Generally, the Act puts more onus on the consumer. Although consumers are granted broad rights, for the most part, they must take affirmative action to seek the protection afforded under the Act. Under the GDPR, however, that burden is inverted; companies must disclose their legal basis and retention plans for specific data at the time of collection, cannot process certain sensitive information (e.g. health data) or automatically profile consumers without receiving explicit consent, and generally must document data activities internally, whether consumers ask about their information or not. Thus, the Act makes less rigorous demands of companies than the GDPR.

Another major difference? The GDPR took around four years to pass. The California Legislature passed the Act in about one week.

For more information on the GDPR, please visit our International Affairs: GDPR resource page.

Implications of the Act

Although the Act is not as expansive as the EU’s GDPR, it is viewed as the most comprehensive, aggressive privacy law in the United States. Reports estimate that the Act will apply to over half a million U.S. companies. To some extent, domestic U.S. companies have been able to isolate the impacts of the GDPR, but they will likely have less luck ducking the regulatory challenges of the Act. Businesses subject to the Act will be forced to reform their privacy data collection, dissemination, and disclosure practices — which will be an expensive and time-sensitive undertaking.

Some positive news for businesses: the version of the bill that was passed is not likely to be the law that ultimately takes effect. Because the Act was passed by the Legislature instead of by California voters, legislators can change the details up until the Act goes into effect, and they have indicated plans to do so.

More immediately, the Legislature has expressed that it may make technical changes to the bill from August 6 to August 31. Most expect these changes will be limited to small tweaks, including correcting typos or changing terminology. Some trade associations plan to advocate for easy changes to the Act this month and wait until 2019 to address bigger issues.

Certainly, over the next 17 months, we expect many changes to the language of the Act. We’ll be tracking to see whether these changes affect the practical implications of the Act on your business.