On June 21st, California legislature Democrats reached a tentative agreement with a group of consumer privacy activists spearheading a ballot initiative for heightened consumer privacy protections, in which the activists would withdraw the the existing ballot initiative in exchange for the California legislature passing, and Governor Jerry Brown signing into law, a similar piece of legislation, with some concessions, by June 28th, the final deadline to withdraw ballot initiatives. If enacted, the Act would take effect January 1, 2020.
In the “compromise bill”, Assemblyman Ed Chau (D-Arcadia) amended the California Consumer Privacy Act of 2018, (AB 375) to ensure the consumer privacy activists, and conversely ballot initiative opponents, would be comfortable with its terms.
Some of the key consumer rights allotted for in AB 375 include:
- A consumer’s right to request deletion of personal information which would require the business to delete information upon receipt of a verified request;
- A consumer’s right to request that a business that sells the consumer’s personal information, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of any 3rd parties to which the information was sold or disclosed;
- A consumer’s right to opt-out of the sale of personal information by a business prohibiting the business from discriminating against the consumer for exercising this right, including a prohibition on charging the consumer who opts-out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data.
Covered entities under AB 375 would include, any entity that does business in the State of California and satisfies one or more of the following: (i) annual gross revenue in excess of $25 million, (ii) alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices, OR (iii) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
Though far reaching, the amended AB 375 limits legal damages and provides significant concessions to business opponents of the bill. For example, the bill allows a business 30 days to “cure” any alleged violations prior to the California attorney general initiating legal action. Similarly, while a private action is permissible, a consumer is required to provide a business 30 days written notice before instituting an action, during which time the business has the same 30 days to “cure” any alleged violations. Specifically, the bill provides: “In the event a cure is possible, if within the 30 days the business actually cures the noticed violation and provides the consumer an express written statement that the violations have been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the business.” Civil penalties for actions brought by the Attorney General are capped at $7,500 for each intentional violation. The damages in any private action brought by a consumer are not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.
Overall, consumer privacy advocates are pleased with the amended legislation which is “substantially similar to our initiative”, said Alastair Mactaggart, a San Francisco real estate developer leading the ballot initiative. “It gives more privacy protection in some areas, and less in others.”
The consumer rights allotted for in the amended version of the California Consumer Privacy Act of 2018, are reminiscent of those found in the European Union’s sweeping privacy regulations, the General Data Protection Regulation (“GDPR”) (See Does the GDPR Apply to Your U.S. Based Company?), that took effect May 25th. Moreover, California is not the only United States locality considering far reaching privacy protections. Recently, the Chicago City Council introduced the Personal Data Collection and Protection Ordinance, which, inter alia, would require opt-in consent from Chicago residents to use, disclose or sell their personal information. On the federal level, several legislative proposals are being considered to heighten consumer privacy protection, including the Consumer Privacy Protection Act, and the Data Security and Breach Notification Act.
We will continue to report on the status of these bills and other legislative proposals for heightened data security at the federal, state and local level as developments unfold. Given the legislative climate, it has never been more important for organizations to ensure they have practices and procedures in place to provide adequate privacy protections to the individuals whose information they obtain, handle, or store.