If you still think it will be years before the U.S. passes a law similar to the European Union’s General Data Protection Regulation (GDPR), think again – that day has already come. Last week, California became the first state in the U.S. to pass a post-GDPR consumer data privacy law that will affect any business with a presence in California, even if the only presence is via the Internet.
How this started: the ballot initiative
The ballot initiative, known as the “California Consumer Privacy Act of 2018,” is the brainchild of Alastair Mactaggart, a real estate developer based out of San Francisco. In the last two years, MacTaggart has spent $3 million to create and fund the campaign behind the ballot initiative and get enough signatures to put it on the state-wide ballot in November.
Essentially, the ballot initiative echoed some of the protections found in the GDPR that went into effect in the EU in May. Its goal was to provide California consumers with an affirmative right to access the personal information and data that businesses gather regarding consumers in their day-to-day operations. It also would have given consumers the right to opt out of the sharing of that data and provided a private right of action carrying statutory damages of as much as $7,500 per violation per consumer. The initiative would have impacted every business with an Internet presence in California – a significant portion of American businesses.
Mactaggart’s threat to propose the initiative to California voters in November was enough to get the attention of the legislature and major stakeholders in that state. That’s because laws created by ballot initiative in California cannot be altered or changed before presentation to the voters and are extremely difficult to amend once passed. In other words, if the ballot initiative passed, California businesses would be forced to comply with Mactaggart’s initiative, as contemplated by Mactaggart, for the foreseeable future.
How the bill was introduced and passed within 48 hours
Proposing the ballot initiative was Mactaggart’s way of forcing the California legislature to pass its own pro-consumer privacy bill in short order. Mactaggart demanded that the legislature pass a law similar to the initiative on or before June 28, 2018, and, in exchange, he would withdraw the initiative. Considering the ballot initiative would have been far more difficult to amend or change, the legislature opted instead to pass its bill in advance of the deadline.
And that’s how AB-375, now known as the California Consumer Privacy Act of 2018, came to be. California governor Jerry Brown signed the bill into law Thursday afternoon and called it a “historic step” that “forges a path forward to lead the nation once again on privacy and consumer protection issues.”
As promised, Mactaggart withdrew the initiative upon passage of the Act.
What does this mean for American businesses?
First, there is no need to panic quite yet: the Act will not become effective until January 1, 2020. At the very least, businesses have another year and a half to work toward compliance.
Second, the Act is significantly more business-friendly than Mactaggart’s ballot initiative, but it will still require significant effort to be in compliance. Some notable features of the Act:
- The Act may affect any company with customers in California that meets the following test, regardless of whether that company is based in California or has a physical presence there:
- (1) Businesses with gross revenues of more than $25 million, or
- (2) Businesses that purchase personal data on 50,000 or more consumers, households, or devices, or
- (3) Businesses that derive 50% or more of their annual revenues from selling consumers’ personal information.
- Consumers will have the right to demand disclosure of what types of data a business holds about them, as well as what that business is doing with that data;
- Businesses will be required to have a verification process so that consumers can verify their identities prior to invoking the right to demand disclosure of their data;
- Consumers will have a “right to be forgotten” (i.e., the right to request that a business delete the consumer’s data from its records);
- The Act creates a private right of action for security violations (i.e., data breaches) only – it does not create a private right of action for privacy violations (i.e., failure to provide information regarding data sharing). Additionally, the statutory damages available for a privacy violation in the Act are capped at $750, whereas the initiative contemplated a cap of $7,500.
- A business will have a 30-day safe harbor in which to cure a security violation upon written notice by a consumer. If the business cures the violation within that time period, then the consumer will not be eligible to recover statutory damages.
- The state Attorney General will be able to prosecute privacy violations by way of enforcement action, with fines of up to $7,500 per violation.
Finally, it is possible if not likely the law will be amended prior to the January 1, 2020 effective date. One industry trade group, the Internet Association (which represents tech companies including Google and Facebook) has indicated it will seek changes prior to the effective date.