California Passes Toughest Online Privacy Law in the U.S.
With the GDPR just over
Key Provisions
The law, which takes effect in 2020, applies to any entity doing business in the State of California that meets one of the following thresholds:
- has annual gross revenues over $25,000,000;
- sells or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or
- derives 50% or more of its annual revenues from selling consumers' personal information.
The Act includes a broad definition of personal information and creates rights to know what data companies are collecting, why they are collecting it, and with whom they are sharing it. In addition, the Act provides that:
- Consumers can bar covered businesses from selling their data, and businesses are prohibited from discriminating against consumers for exercising this right, including by charging different prices or providing a different quality of goods or services, unless the difference is reasonably related to the value provided by the data.
- Businesses must disclose the purposes for which information is used. They are also required to provide a link to a "Do Not Sell My Personal Information" section on the
home page of their websites to make it easy for consumers to opt-out. - Consumers have the right to request deletion of personal information.
- Businesses are barred from selling the personal information of a consumer between 13 and 16 years of age, unless affirmatively authorized, as specified, to be referred to as the right to opt-in.
- The law gives consumers a private right of action, enforced by the state Attorney General, for "certain unauthorized access and exfiltration, theft, or disclosure of a consumer's nonencrypted or nonredacted personal information," subject to recovery of statutory or actual damages, whichever is higher.
- The Act creates a Consumer Privacy Fund in the General Fund to support the purposes of the bill and its enforcement.
- Waivers of a consumer's rights under the Act are void.
As privacy is a matter of statewide concern, the Act also preempts inconsistent state, county, and municipal laws. It does not apply to the collection and use of information covered by federal laws such as the Health Information Portability and Accountability Act (HIPAA) and the Fair Credit Reporting Act, or to information collected pursuant to the Gramm-Leach-Bliley Act or Driver's Privacy Protection
While AB 375 bars businesses from penalizing consumers who exercise their rights under the Act, it permits businesses to offer financial incentives for the collection, sale, or deletion of personal information, including payments to consumers as compensation. And, as noted above, businesses are allowed to charge higher rates for goods or services to consumers who opt out, "if that price or difference is directly related to the value provided to the consumer by the consumer's data."
Importantly, the law specifies that the obligations on businesses shall not restrict their right to comply with applicable laws or legal and regulatory inquiries, cooperate with law enforcement, exercise or defend legal claims, or collect and use de-identified information. As a practical matter, most businesses must share data with multiple service providers to offer their services.
Future Rules and Actions
The Act envisions additional rulemakings to implement its provisions. For example, it contemplates new rules, within one year, to establish any exceptions necessary to comply with existing state or federal laws, and rules and procedures to facilitate consumer access requests, compliance with consumer access requests, and the development of a uniform opt-out logo or button. It is contemplated that additional rules will address required notices, procedures to verify a consumer who makes an access request, and monetary threshold adjustments, among other things, and the Attorney General is authorized to adopt additional regulations as necessary to further the purposes of the Act.
The Act includes some significant differences from the now-withdrawn ballot initiative. For example, the ballot initiative included a provision that required a 70% majority in both houses to change it after it became
The rush to passage to forestall the ballot initiative has already lead to suggestions that some modifications should be adopted, both by privacy advocates who think the law does not go far enough and by businesses who are concerned about restrictions, so this may not be the last word on the law. The details are important as California has often been at the forefront of expanding legislation. In 2003, for example, California was the first state to enact a data breach law, which proved to be the primary model for legislation passed by other states, all of whom now have passed data breach legislation. U.S. state data breach legislation was likewise a model for a data breach provision in the GDPR.
The sweeping provisions of California's privacy law could encourage other states, frustrated by inaction at the federal level, to follow suit. Variations in state data breach legislation
For more information, contact Sheila A. Millar at millar@khlaw.com or +1 202.434.4143 or Tracy Marshall at marshall@khlaw.com or +1 202.434.4234. Join our mailing list to receive