Last month the GDPR launch in the EU was punctuated by lawsuits seeking $8.8 billion from Google and Facebook. It turns out that the GDPR foreshadowed significant changes to the US data privacy landscape that came much sooner than most anticipated.
When the GDPR became effective in May, a California privacy initiative — The Consumer Right to Privacy Act of 2018 — was still gathering signatures to qualify for the November 2018 ballot. That initiative sought to bring many of the GDPR’s privacy protections to California residents. The initiative’s sponsors recently submitted double the number of signatures necessary to qualify for the November 2018 ballot. In reaction to the initiative’s favorable polling, the California legislature resurrected the California Consumer Privacy Act (AB 375), which had died in committee in September 2017. The initiative’s sponsors struck a deal with legislators, agreeing to withdraw the initiative if AB 375 was signed into law by June 28, 2018— the initiative withdrawal deadline. In a whirlwind of activity lasting only a week, AB 375 became law on June 28.
Although not as expansive as the GDPR, the California Act is a significant departure from the traditional U.S. approach to collection and use of personal information by businesses and it shares many similarities with the GDPR. Here are some highlights:
-
The Act provides that consumers have a right to know what personal information businesses collect about them.
-
It requires businesses to notify California consumers of the categories of information the businesses collect and prohibits businesses from collecting additional information without further disclosure.
-
It grants consumers a “right of access”: the right to request and receive the data collected by a business in a readable and portable format. This includes the right to be informed of the purposes for which the consumer’s data is collected and the “categories” of third parties with which the business has shared the consumer’s personal information.
-
It grants consumers the right to request information regarding businesses’ sale of the consumers’ personal information to third parties, including the categories of data sold, and the categories of the third-party purchasers of the data.
-
It grants consumers a “right to be forgotten”: the right to request that a business delete all personal information it has collected on the consumer, subject to certain exceptions.
-
It requires that all consumers be notified if a business sells their personal information, and the right to opt-out, or later direct the business to stop selling data.
-
It prohibits companies from denying services to or otherwise discriminating against consumers who refuse to consent to the sale of their personal information, subject to some exceptions.
-
It has potential extra-territorial application: subject to certain thresholds, it applies to business doing business in California that collect information from California residents.
If there is a silver lining to the passage of the California Act for companies doing business in California, it is that the Act does not become effective until January 1, 2020, and it will inevitably require fine tuning before then. Because it is not a ballot initiative, it can be (relatively) easily amended by the California legislature. We expect businesses will attempt in the interim to influence the Act’s final form.
