CCPA meets AB375

So, the story goes…. while attending a cocktail party in California, a Google employee said the following to Alistair Mactaggart: “If people just understood how much we knew about them, they’d be really worried.” Mactaggart, a real estate developer in California, then began contemplating the issue that has been consuming news articles the past few years: privacy in a digital world. Between the GDPR going into effect in May of this year and the Cambridge Analytica scandal that consumed everyone’s attention this spring, privacy has become an inescapable topic. Mactaggart’s main claim is that in a world where most people have no choice but to have a phone or computer, how can they maintain control over their personal data to ensure it stays personal? With this, he worked to develop a privacy initiative addressing these issues focusing on transparency, control and accountability. These three principles form the basis of the ballot initiative created by Californians for Consumer Privacy, the California Consumer Privacy Act (CaCPA). This ballot initiative received 625,000 signatures, which is almost twice the number required for an initiative to be included on the California ballot. Overall, this act provides consumers with three fundamental rights:

1. The right to know what personal information is being collected;
2. The right to know what personal information is being sold and/or shared with third parties as well as the identity of those third parties; and
3. The right to request that their personal information no longer be sold (i.e., the right to opt out).

In addition to honoring the consumer rights listed above, businesses would be required to provide notice via the privacy policy regarding whether personal data is sold and instructions to opt-out of the selling or sharing of this data. Further, businesses must allow consumers to exercise their right to opt-out through, at a minimum, two methods, including a toll-free number and a URL. Should a consumer exercise one of the rights listed above, businesses would be required to respond within 45 days of the request.

As originally crafted, the CaCPA would have applied to any business, regardless of location, that earns $50 million in revenue per year, sells 100,000 consumer records in a calendar year, or makes 50% of its annual revenue from selling personal data. This broad sweeping scope should be familiar to those responsible for ensuring readiness for the GDPR and its applicability to organizations outside of the European Union.

Fast forward a month and a half after the initiative was first approved and, as of last week, Mactaggart has now agreed to a deal that would keep this initiative off the November ballot. Instead, Mactaggart and various stakeholders and state lawmakers drafted a bill that varies slightly from the CaCPA, but still provides consumers with certain rights to protect their data and requires businesses to develop and implement various new policies and procedures to comply. If signed by the California Governor by June 28, 2018, Mactaggart has agreed to withdraw the CaCPA from the ballot.

The new bill, which is an amendment to Assembly Bill 375 (AB 375), provides similar rights to consumers to protect their personal data, but also brings key differences from the CaCPA. AB 375 provides the following rights to consumers:

1. The right to know what personal information is collected;
2. The right to know whether their personal information is sold or disclosed and to whom;
3. The right to opt-out of the sale of their personal information;
4. The right to access their personal information;
5. The right to request the deletion of their personal information; and
6. The right to equal service and price, regardless if they exercise their privacy rights.

As originally proposed, businesses have 45 days to respond to consumer requests to exercise any of their rights. The key differences between the CaCPA and AB 375 are that AB 375 provides the additional right to deletion and that AB 375 does not provide for a private right of action for any violation (more on this below). Instead, AB 375 provides businesses with more allowance to limit penalty amounts. Businesses are provided a 30-day window to “cure” any alleged violations. If the business can prove the violations have been “cured” and that no further violations will occur, the state attorney general will not be able to pursue legal action. Overall, violators are facing a maximum penalty of $7,500 per intentional violation. Consumers are not provided a private right of action for violations of the rights listed above.

Additionally, AB 375 provides amended rules regarding data breaches. Consumers are provided with a private right of action and can seek damages in the event of a breach where the business has failed to implement “reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” Damages that occur as the result of a breach are limited to a maximum of $750 per consumer per incident.

AB 375 will apply to a slightly different array of businesses than the CaCPA as it applies to any business that earns $25 million in revenue per year, sells 50,000 consumer records per year, or derives 50% of its annual revenue from selling personal information. As with the CaCPA, AB 375 applies to any business collecting or selling personal information from California regardless of the physical location of the business.

Should Governor Brown sign the bill by this Friday, June 28, which he is likely to do, these requirements will become effective beginning January 1, 2020 and this bill will be referred to as the California Consumer Privacy Act of 2018.

Businesses subject to this bill will be required to implement various new policies and procedures ensuring the protection of personal information, including updates to privacy policies, “reasonable” security protections, and facilitation of consumer rights. Each request from consumers must be formally analyzed as various scenarios may exist in which a business does not have to honor a consumer’s request to exercise one of his/her rights.

Businesses subject to these requirements must begin to map out all personal information collected and shared from Californians. This analysis should include the categories of personal information collected, why the information is collected, and to whom the information is shared/sold. This will allow businesses to more easily respond to consumer requests as businesses can probably expect a high number of requests initially. Lastly, businesses must determine how they will comply with this new regulation – will the business honor these rights on a nationwide basis or will the business implement a process to determine the location of the consumer making the request and only honor those requests coming from California? How will it determine this? It is likely this is the first of many data protection laws to be enacted in the United States and companies should prepare for additional state and maybe even federal changes to how businesses can handle personal data.

We understand compliance with these requirements can be difficult to manage. Please feel free to reach out to connect@compliancepoint.com for more information on how to prepare or comply with this regulation and any other privacy, security or compliance matters.