Soon, California consumers will have the strongest data privacy laws in the country on their side. Although the California Consumer Privacy Act of 2018 was passed in 2018 (AB 375), it will take effect on January 1, 2020.
If the state legislature hadn’t passed the bill, the issue would have been deferred to a ballot initiative, which was widely considered a much more extreme version that was vigorously opposed by the tech industry.
Which Businesses Must Comply with the Data Privacy Law
The law applies to any business, including any for-profit entity that collects consumers’ personal data, which does business in California, and satisfies at least one of the following thresholds:
- Has annual gross revenues in excess of $25 million;
- Possesses the personal information of 50,000 or more consumers, households, or devices;
- or Earns more than half of its annual revenue from selling consumers’ personal information.
The law also requires that these businesses “implement and maintain reasonable security procedures and practices” in protecting consumer data.
What Rights Will Californians Have?
Californians will have the right to know the three Ws in relation to their data: “what do you collect/store?”, “why?”, and “with whom do you share it?”
Specifically, the bill would grant a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared.
The bill would grant a consumer the right to request deletion of personal information.
The bill would allow consumers to opt out of the sale of personal information by a business and would prohibit the business from discriminating against the consumer for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data.
However, businesses would be able to to offer financial incentives for collection of personal information.
The bill would prohibit a business from selling the personal information of a consumer under 16 years of age, unless affirmatively authorized.
The bill defines “personal information” with reference to a broad list of characteristics and behaviors, personal and commercial, as well as inferences drawn from this information.
Tech Industry Response
The tech industry threw its full weight against the ballot initiative, spending millions of dollars to oppose it through a group called the Committee to Protect California Jobs. They argued that the measure would open them up to liability that would hurt their businesses and their ability to hire.
The bill initially required businesses to share “accurate names and contact information” for third parties that bought user data over the prior year. Due to lobbying by business groups, the language changed to requiring businesses to merely disclose the “categories of third parties” that bought the data.
HOW WILL THE NEW LAW BE ENFORCED?
The law generally puts enforcement in the hands of the California attorney general. Citizens do not have a right to private action — the right to directly sue offending companies — except in narrow cases of data breaches. Without a private right to action with a right to recover attorneys’ fees, there is little incentive for plaintiff’s attorneys to take on privacy violation cases.
What do you think? Does the law go far enough? Or should consumers simply expect that their behaviors online could be tracked, analyzed, and sold?