Just a month after the European Union’s notoriously strict General Data Protection Regulation (GDPR) went into effect, California followed suit with a landmark law of its own: the California Consumer Privacy Act of 2018.
Authored by democrats Senator Bob Hertzberg and Assemblyman Ed Chau, AB 375 passed unanimously in both chambers of the California Legislature on June 28. Mere hours later, Governor Jerry Brown signed the bill into law.
The law’s opponents—including major tech companies like Facebook, as well as the California Chamber of Commerce, the National Retail Federation and the Association of National Advertisers—nonetheless urged its passage. The opponents were understandably anxious about the more expansive ballot initiative that San Francisco real estate developer Alastair Mactaggart had qualified for the November ballot. Unlike ballot initiatives, laws passed through the legislature are easier to amend. And the law’s opponents already put together a list of changes they want to make to the statute before it goes into effect in 2020. Mactaggart, who had agreed to withdraw his initiative from the ballot if the governor signed AB 375, kept his word and pulled the initiative later on June 28.
Set to go live on January 1, 2020, the law protects California consumers and applies to all businesses that meet one or more of the following thresholds:
Much like the GDPR, the law drastically expands the definition of “personal information” to include things like
Under the new law businesses must, upon request, disclose to California consumers
Businesses must also comply with a California consumer’s request to
Businesses are banned from
Businesses cannot discriminate against consumers for exercising their rights, such as by charging them higher fees or delivering lower quality service or products. But they can still offer financial incentives for collection of personal information.
Consumers can sue businesses for data breaches of unencrypted, unredacted information, with damages of at least $100 and up to $750 per consumer per incident or actual damages, if they are higher. The California attorney general is allowed to step in to take the case, and businesses must be given a chance to “cure” the violations—but it’s unclear how a data breach can be cured after the fact.
Hailed as the strictest data privacy law in the United States, the California Consumer Privacy Act is a game-changer. And privacy experts predict that the law will have ramifications well beyond California, given the hassle and expense of building state-by-state consumer experiences.
Businesses who went through the painful process of GDPR compliance likely have little to worry about since the California law is far less strict.
The rest, however, will have to keep a close eye on any amendments that will flesh out the law over the next year and a half. Now would be a good time to undertake a data audit and determine
The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.