California’s GDPR?

The 2018 California Consumer Privacy Act

05/14/2018
Client Alert

This alert was also published in Law360 on May 17, 2018

While companies are focusing on compliance with the EU’s General Data Protection Regulation (GDPR) requirements, Californians will likely be given the option on the November 6, 2018 ballot to impose a sweeping, GDPR-like privacy regime that also deserves attention.[1]

If approved by voters in November, the California Consumer Privacy Act would require businesses to disclose the categories of personal information they collect, sell, or share about California consumers, and gives consumers a right to say “no” to the sale of their information. The Act would also allow consumers to sue for violations (which include data breaches resulting from failure to maintain “reasonable security procedures and practices”) without suffering any loss of money or property, and would impose stiff penalties for noncompliance.

The proposed Act is far reaching. It covers virtually any and all information a business has about a consumer and reaches across all industries and business practices. If passed, the Act would impose significant compliance challenges, burdens, and costs, and greatly increase the risk of litigation. Below, we provide further information regarding some of these new burdens and obligations, including time and steps for implementation.

Businesses and Information Covered

The Act would apply to entities doing business in California if they meet one of the following thresholds: (i) has annual gross revenues in excess of $50M; (ii) annually sells personal information of 100K or more consumers or devices; or (iii) derives 50% or more of its annual revenue from selling consumer personal information.[2]

The Act covers “personal information” (PI), which it defines broadly as any information that “identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device.”[3] This definition includes, but is not limited to, twelve enumerated categories of information about consumers and any minor children of the consumer.[4]

While some of the enumerated categories are expected — identifiers (like name, address, email, Social Security or driver’s license number), biometric data, or professional or employment-related information — the Act expands far beyond traditional notions of personal information. It includes, for example, “commercial information,” which encompasses products or services provided, obtained, or considered, as well as “other purchasing or consuming histories or tendencies.” It also includes Internet activity, such as browsing or search history or a consumer’s “interaction” with a website, application, or advertisement. The definition of PI also vaguely extends to “inferences drawn” from any of the categories of PI specifically enumerated.

Act Requirements

The Act seeks to create the following consumer privacy “rights”:

“Right to know.” Upon request by a consumer, businesses must disclose the categories of PI that the business has, within the year preceding the request: (i) collected; (ii) sold to a third party; and/or (iii) disclosed to another person for a business purpose.[5] Consistent with its expansive scope, the Act broadly defines collecting, selling, and disclosing for a “business purpose” to encompass virtually all aspects of a business’s interaction with — and use of — consumer PI:

  • If a business buys an email or address list from a direct-mailing-list broker, that information would need to be listed as information “collected.”
  • If a business shares customer purchase records with a data cooperative in exchange for access to other consumer PI the cooperative has, that information would need to be listed as information “sold,” and depending on what the business receives from the co-op, as information “collected.”
  • If a business provides a consumer’s account or transaction information to a third-party customer-support provider or to a third-party for processing credit card transactions, that information would need to be listed as information “disclosed for a business purpose.”

For businesses that have sold or disclosed the requesting-consumer’s PI, the business must also provide accurate names and contact information for the receiving parties.[6]

To facilitate consumer requests for information, the Act would require businesses to make available two or more designated methods to ask for the information. At a minimum, these methods must include a toll-free number and, if the business has a website, a website address.[7] Businesses would be required to respond in writing within 45 days of a request.[8] These reports would need to be provided free of charge.[9]

In addition, a business must disclose certain information about the Act online, including, if applicable, in its online privacy policy or in any California-specific description of consumers’ privacy rights.[10] This information, which must be updated at least once a year, includes (i) a description of rights under the Act, and (ii) a list of categories of PI collected, sold to a third party, or disclosed for business purposes.[11]

Right to “say no.” Businesses must give consumers the right to opt out of the sale of personal information.[12] The Act requires a “clear and conspicuous” link on the business’s homepage, titled “Do Not Sell My Personal Information.”[13] If the business has a separate page for California consumers and takes reasonable steps to direct California consumers to that page, the business does not have to put the “Do Not Sell” link on its homepage.[14] Any information collected in connection with a consumer’s opt-out request may only be used for purposes of complying with the opt-out request.[15]

Right to sue for violations of the Act. The Act provides a private right of action for violations of its provisions in the amount of $1,000 per violation (or up to $3,000 for willful violations) of statutory damages or actual damages, whichever is greater.[16] The Act is silent, however, on what constitutes a “violation” — i.e., in the context of a delayed response to a request, for example, whether a “violation” is a single failure to respond per person or whether that failure is multiplied per category of PI or per day, or, in the context of an incomplete disclosure, whether a “violation” is the errant disclosure itself or the category or categories of PI excluded.

A violation of the Act alone is enough for an injury-in-fact, meaning the plaintiff need not have suffered any loss of money or property to have standing to sue.[17] The Act also provides for public enforcement by the California Attorney General or district attorney (as well as, under certain circumstances, a county counsel, city attorney, or city prosecutor), with civil penalties of up to $7,500 for each violation.[18] Finally, the Act provides a “whistleblower” enforcement mechanism that would allow individuals to stand in the shoes of the AG to seek civil penalties for violations.[19]

Notably, there is no “good faith” compliance or “bona fide” error or mistake exception. There is, however, a non-California “exemption” that provides that the obligations imposed by the Act shall not restrict a business’s ability to collect and sell consumer PI so long as every aspect of the commercial conduct takes place outside of California.[20]

Right to sue for data breach. The Act also creates new liabilities for security breaches involving consumers’ PI (as defined in California’s data breach notification law, Cal. Civ. Code § 1798.82). A business that has suffered a data breach and failed to implement and maintain “reasonable security procedures and practices” to protect the disclosed PI will be deemed to have violated the Act, opening the business up to the Act’s statutory penalties.[21] The Act specifies that consumers, law enforcement, or whistleblowers may sue for a data breach.

The potential exposure could be enormous if a “violation” is the number of individuals and/or records impacted as opposed to the breach incident itself. Assuming a breach of one million consumer records, if a defendant is found liable under the Act, the statutory damages from a consumer action could amount to $1 billion.[22]

This provision appears designed to overcome court decisions finding that consumers lack standing to sue for data breaches where they cannot demonstrate actual harm or a likely threat of future harm. The Act would likely lower the bar for standing in data breach cases, thereby making dismissal more difficult and potentially raising the “headline” number for private consumer and law enforcement data breach settlements.

Timing and Steps for Implementation

If passed, the Act will be effective immediately on the day following the election — November 7, 2018.[23] With respect to the consumer PI requirements, however, the Act provides for a nine-month grace period from the November 7 effective date, and would apply only to PI collected on or after August 7, 2019.[24]

The Act also requires that, if the California Attorney General determines it necessary to adopt implementing regulations, he do so within six months of the Act’s adoption.[25] The Act further provides that the AG may adopt “interim regulations” without complying with the Administrative Procedures Act (which requires notice of rulemaking, a 45-day comment period, and public hearings if requested), and that those interim regulations will remain in effect for 270 days unless superseded by regulations adopted pursuant to the APA.[26]

Takeaway

If a business is within the scope of the California Consumer Privacy Act, the Act reaches virtually any and all information that a business has about its customers as well as any and all ways that a business interacts with, or uses, that information.

Planning for compliance will take time, resources, and careful consideration. As an initial step, businesses should thoroughly review what information they collect about California consumers. Given the broad scope of information covered by the Act, it is unlikely that businesses are maintaining all relevant information centrally, and it will be important to canvas and collaborate across departments and divisions. Second, businesses should organize, in a single place, information regarding the sale or disclosure of any consumer PI to third parties. Depending on the purpose associated with collecting, selling, or sharing consumer PI, it may be necessary to assess the ongoing need to do so as consumer privacy issues continue to occupy legislatures and the courts.

This Act is symptomatic of a growing trend toward regulating businesses’ collection and use of consumer personal information in the name of privacy. That the Act garnered nearly twice the signatures required to qualify for the ballot suggests its focus on privacy will resonate with voters. Businesses need to stay abreast of proposed privacy legislation, and be prepared for any changes to come. We will be following the Act closely; those doing business in California should too.

 


[1] On May 3, 2018, proponents of the California Consumer Privacy Act announced they had collected the signatures needed to qualify the Act for the November ballot. https://ballotpedia.org/California_Consumer_Personal_Information_Disclosure_and_Sale_Initiative_(2018). Before the Act can be included on the ballot, however, county election officials must verify the signatures, and the Secretary of State must certify the measure qualifies for the ballot.

[2] § 1798.106(b)(1). Unless otherwise specified, all citations are to Section 4 of the Initiative Measure, and track proposed changes to the California Civil Code.

[3] § 1798.106(m).

[4] Id. PI does not include information that is publicly available or that is de-identified. Id.

[5] §§ 1798.100, 1798.101. The Act requires businesses to reference the categories of PI enumerated in the Act that most closely describe the PI subject to the disclosure, and disclose the categories in separate lists for information collected, sold, and disclosed. §§ 1798.104(a)(3) & (4).

[6] §§ 1798.101(a), 1798.104(a)(4). If the business has not sold or disclosed the consumer’s PI, the business must inform the consumer of that fact. § 1798.101(c).

[7] § 1798.104(a)(1).

[8] § 1798.104(a)(2).

[9] Id.

[10] § 1798.104(a)(5).

[11] Id.

[12] § 1798.102. For consumers who have opted out, businesses may not ask them for permission to sell their PI for at least 12 months. § 1798.105(a)(5).

[13] § 1798.105(a)(1).

[14] § 1798.105(b).

[15] § 1798.105(a)(6).

[16] § 1798.108(b)(1).

[17] § 1798.108(a).

[18] § 1798.109.

[19] § 1798.111.

[20] § 1798.107(a)(4).

[21] § 1798.112. The Act does not define “reasonable security procedures.” In its most recent California Data Breach Report, however, the California Attorney General recommends that organizations must, at a minimum, meet the 20 controls in the Center for Internet Security’s Critical Security Controls, and states that a failure to do so constitutes a “lack of reasonable security.” (See https://oag.ca.gov/sites/all/files/agweb/pdfs/dbr/2016-data-breach-report.pdf at 30.)

[22] See §§ 1798.112, 1798.108(b)(1).

[23] Initiative Measure, Section 13 at 20.

[24] Id.

[25] § 1798.115(c).

[26] Id.

Email Disclaimer

Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.

©1996-2018 Morrison & Foerster LLP. All rights reserved.