While attending a cocktail party in California, a Google employee supposedly said the following to Alastair Mactaggart: “If people just understood how much we knew about them, they’d be really worried.” Mactaggart, a real-estate developer in California, then began contemplating the issue that has been consuming news articles the past few years: privacy in a digital world. Between the EU’s General Data Protection Regulation (GDPR) going into effect in May and the Cambridge Analytica scandal this spring, privacy has become an inescapable topic. Mactaggart’s main question is that in a world where most people have no choice but to have a phone or computer, how can they maintain control over their personal data to ensure it stays personal? He thus worked to develop a privacy initiative addressing these issues, focusing on transparency, control and accountability. These three principles are the basis of the ballot initiative created by Californians for Consumer Privacy: the California Consumer Privacy Act (CCPA). It received 625,000 signatures, which is almost twice the number required for an initiative to be included on the California ballot. Overall, this act gives consumers three fundamental rights:
- The right to know what personal information is being collected;
- The right to know what personal information is being sold and/or shared with third parties as well as the identity of those third parties; and
- The right to request that their personal information no longer be sold (i.e., the right to opt out).
As originally crafted, the CCPA would have applied to any business, regardless of location, that earns $50 million in revenue per year, sells 100,000 consumer records in a calendar year, or makes 50% of its annual revenue from selling personal data. This broad sweeping scope should be familiar to those responsible for ensuring readiness for the GDPR and its applicability to organizations outside of the EU.
Fast forward a month and a half after the initiative was first approved: Mactaggart agreed to a deal that would keep this initiative off the November ballot. Instead, he and other interested parties, along with state lawmakers, drafted a bill that varies slightly from the CCPA but still gives consumers certain rights to protect their data and requires businesses to develop and implement various policies and procedures to comply. If signed by the California Governor by June 29, 2018, Mactaggart has agreed to withdraw the CCPA from the ballot.
The new bill, which is an amendment to Assembly Bill 375 (AB 375), provides similar rights to consumers to protect their personal data, but it also brings important differences from the CCPA. AB 375 provides the following rights to consumers:
- The right to know what personal information is collected;
- The right to know whether their personal information is sold or disclosed and to whom;
- The right to opt out of the sale of their personal information;
- The right to access their personal information;
- The right to request the deletion of their personal information; and
- The right to equal service and price, regardless of whether they exercise their privacy rights.
As originally proposed, businesses have 45 days to respond to consumer requests to exercise any of their rights. The main differences between the CCPA and AB 375 are that AB 375 provides the additional right to deletion and that AB 375 doesn’t provide for a private right of action for any violation. Instead, it gives businesses more allowance to limit penalty amounts. Businesses get a 30-day window to “cure” any alleged violations. If a business can prove the violations have been “cured” and that no further violations will occur, the state attorney general will be unable to pursue legal action. Overall, violators are facing a maximum penalty of $7,500 per intentional violation. Consumers receive no private right of action for violations of the rights listed above.
Additionally, AB 375 amends rules regarding data breaches. Consumers receive a private right of action and can seek damages in the event of a breach where the business has failed to implement “reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” Damages that occur as the result of a breach are limited to a maximum of $750 per consumer per incident.
AB 375 will apply to a slightly different array of businesses than the CCPA, as it applies to any business that earns $25 million in revenue per year, sells 50,000 consumer records per year or derives 50% of its annual revenue from selling personal information. As with the CCPA, AB 375 applies to any business collecting or selling personal information from California regardless of the physical location of the business. Should Governor Brown sign the bill by this Friday, June 29—which he is likely to do—these requirements will become effective beginning January 1, 2020, and the bill will be called the California Consumer Privacy Act of 2018.
Businesses subject to this legislation will be required to implement various policies and procedures ensuring the protection of personal information, including updates to privacy policies, “reasonable” security protections and facilitation of consumer rights. Each request from consumers must be formally analyzed, as a business may not have to honor a consumer’s request to exercise one of his/her rights in certain scenarios.
Businesses subject to these requirements must begin to map out all personal information collected and shared from Californians. This analysis should include the categories of personal information collected, why the information is collected and with whom the information is shared/sold. Doing so will allow businesses to more easily respond to consumer requests, as they can probably expect a large number of them initially. Lastly, businesses must determine how they will comply with this new regulation: will they honor these rights nationwide, or will they implement a process to determine the location of the consumer making the request and only honor those requests coming from California? How will it determine this location? This is probably the first of many data-protection laws that will be enacted in the U.S., and companies should prepare for additional state and maybe even federal changes to how they can handle personal data.
About the Authors
Greg Sparrow is Vice President and General Manager of CompliancePoint’s Information Security Practice. Greg has over 15 years of experience with information security, cybersecurity and risk management. His knowledge spans multiple industries and entities including health care, government, card issuers, banks, ATMs, acquirers, merchants, hardware vendors, encryption technologies and key management.
Matt Dumiak is Director of Privacy Services, Customer Engagement Compliance, at CompliancePoint, focusing on U.S. and international direct-marketing regulations. He works with clients in a variety of industries and is dedicated to providing reliable and practical consulting services. Matt has earned a Certified Information Privacy Professional (CIPP/US) certification from the International Association of Privacy Professionals (IAPP), a Customer Engagement Compliance Professional (CECP) certification from the Professional Association for Customer Engagement (PACE) and has a B.S. in economics from Georgia College.