California Passes Landmark Privacy Bill

By Sascha Matuszak
Reporter, SCCE|HCCA

California passed a landmark privacy bill on Thursday, June 28, that will have far-reaching and lasting effects on companies that manage and collect consumer data. California Consumer Privacy Act of 2018 (AB 375) was rushed through the legislation in order to prevent a stricter, privacy-focused ballot initiative (the California Consumer Privacy Act) from reaching the ballot and potentially becoming law. Ballot initiatives are very difficult to change or amend, once made into law, and this spurred lobbyists and trade groups representing big tech firms and other businesses to throw their support behind the bill, which can be tweaked and refined in the legislature with relative ease.

The privacy bill is touted by its sponsors as a breakthrough for privacy protections in the US, and Alastair Mactaggart, a California real estate developer who spent about $1.4 million earlier this year to qualify the measure for the ballot, said that it was a “landmark accomplishment, which is the strictest privacy bill ever achieved in this country.” The bill will be implemented in 2020, leaving lobbyists and stakeholders time to make modifications to its language. Big tech firms that had vigorously opposed the ballot initiative are now eager to make changes to the privacy bill, some of which have since been introduced.

Basic rights enshrined in the privacy bill

A June 28th story in the International Association of Privacy Professionals (IAPP) provides the following list of basic rights, much of this is subject to change over time:

• Consumers have the ability to request a record of what types of data an organization holds about them, plus information about what’s being done with their data in terms of both business use and third-party sharing.
• Businesses will have to have a verification process so consumers can prove they are who they say they are when they do their requesting.
• Consumers have a full right to erasure, with carve-outs for completion of a transaction, research, free speech, and some internal analytical use.
• Organizations will have to disclose to whom they sell data, and consumers will have the ability to object to the sale of their data. Businesses will have to put a special “Do Not Sell My Personal Information” button on their websites to make it easy for consumers to object. *Organizations must only disclose the categories of third parties they sell data to and the button is on the chopping block.
• Sale of children’s data will require express opt-in, either by the child, if between ages 13 and 16, or by the parent if younger than that.
• Organizations cannot “discriminate against a consumer” based on the exercising of any of the rights granted in the bill. For example, you can’t provide a different level or quality of service based on a consumer objecting to the sale of their data. However, organizations could offer higher tiers of service or product in exchange for more data as long as they’re not “unjust” or “usurious.
• A covered “business” is defined as any for-profit entity that either does $24 million in annual revenue; holds the personal data of 50,000 people, households, or devices; or does at least half of its revenue in the sale of personal data.
• The law would be enforced by the Attorney General and create a private right of action for unauthorized access to a consumer’s “nonencrypted or nonredacted personal information.” Failure to address an alleged violation within 30 days could lead to a $7,500 fine per violation (which could be per record in the database, for example).
• Finally, the law protects any “consumer,” defined as a “natural person who is a California resident,” which is defined as “(1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose.”

Eric Goldman, assistant director of the Santa Clara University School of Law’s Tech Edge J.D. program, criticized the bill in his blog as an overly-complicated, rushed version of a privacy bill that will see significant revisions in the years to come:

“While not quite as comprehensive as the GDPR, it copies some aspects of the GDPR and will squarely impact every Internet service in California (some of whom may not currently be complying GDPR due to their US-only operations). The GDPR took 4 years to develop; in contrast, the California legislature will spend a grand total of 7 days working on this major bill. It’s such a short turnaround that most stakeholders won’t have a chance to participate in the legislative proceedings. So the Internet is likely to change radically tomorrow, and most people have no clue what’s coming or any voice in the process.”

Compliance across states

The big question for companies affected by the privacy bill will be compliance in California versus compliance elsewhere in the US. The uneven privacy protections, both from state-to-state as well as on the federal level, will pose challenges for companies that fall under California’s new privacy bill jurisdiction. According to current language, a business under the privacy bill is defined as:

(1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
(B) Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
(C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
(2) Any entity that controls or is controlled by a business, as defined in paragraph (1), and that shares common branding with the business. “Control” or “controlled” means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. “Common branding” means a shared name, service mark, or trademark.

All major tech firms fall under this rubric, as do any number of service providers and advertising companies that do business in California. Even more challenging would be a possible “bandwagon effect,” where other states follow California’s lead and develop their own similar privacy protections. Ashkan Soltani, former chief technology officer of the Federal Trade Commission who helped author the ballot initiative, told Wired that, “Once people see this is possible and once companies start complying … I think other states’ citizens will say, ‘Why can’t we have this too?’”