Jun 292018

California Enacts Broad Privacy Laws Modeled on GDPR

Edward R. McNicholas, Cameron F. Kerry, Michael Mallow, Amy P. Lally, Christopher Fonzone, Ash Nagdev, Colleen Theresa Brown and Alan Charles Raul
, , ,

On June 28, 2018, California Gov. Jerry Brown signed into law the California Consumer Privacy Act of 2018 (AB 375). According to the bill’s author, it was consciously designed to emulate the new European General Data Protection Regulation (GDPR) that went into effect on May 25, and if and when it goes into effect, it would constitute the broadest privacy law in the United States. It is intended to give consumers more transparency regarding and control over their data and establishes highly detailed requirements for what companies that collect personal data about California residents must disclose.   

AB 375 will go into effect on Jan. 1, 2020, unless changed in the interim. This legislation was enacted on an extraordinarily accelerated timeframe as part of compromise with the sponsor of a comparable privacy ballot initiative, which had qualified to be placed before state voters on Election Day in November 2018. The sponsor, Alastair Mactaggart, agreed to withdraw his ballot initiative if AB 375 were signed into law before the June 28 withdrawal deadline. While industry was generally strongly opposed to AB 375 — just as it opposed the ballot initiative — it acquiesced in the compromise legislation because the text of the law could be amended more readily than the text of an initiative approved by the state’s voters. Significantly, the state legislature has recognized that amendments to the act will be necessary and appropriate in the intervening year and a half.

AB 375 goes beyond the ballot initiative by adding requirements for businesses that collect personal information (as defined in the bill) from consumers to delete such information on request as well as to provide access to specific pieces of personal information collected. On the other hand, it curtails the private right of action originally proposed in the initiative. An analysis of the bill prepared by the California Assembly before the vote also indicated that AB 375 was intended to address controversies concerning third-party sale of personal information acquired from social media without data subjects’ authorization.

However, unlike the European Union’s GDPR, AB 375 generally permits opt-out rather than opt-in consent as a basis for collection, use or sale of personal information and does not prohibit specific practices. Nonetheless, and despite the California legislators’ ostensible effort to achieve compromise, the new legislation requires disclosure, access, deletion, portability and enforcement far in excess of what U.S. law, consumers and the marketplace have been comfortable with to date. The potential negative effects on innovation and widespread business practices are likely to prompt considerable interest in making necessary corrections and other amendments to the law before it takes effect in 2020 as well as in possible preemptive federal legislation.

This new legislation may well have an outsize influence on privacy laws nationwide. California was the first state to adopt an express right of privacy in its state constitution. It was also the first to enact data breach notification legislation, which all other states have now followed. Accordingly, even companies that do not collect, use or sell the information of California residents may wish to consider the potential impact of this legislation. The coming months will no doubt stimulate considerable legislative and litigation activity to test the acceptability of AB 375’s effects on interstate commerce, free speech, commercial innovation, reasonable regulatory burdens and meaningful privacy protection.

Who Would Be Affected

AB 375 applies to “businesses … do[ing] business in the State of California” or businesses “that control[] or [are] controlled by” a business doing business in the state of California and that satisfy one of the following:

  • have annual gross revenues in excess of $25 million
  • annually buy, sell, receive or share for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers or devices
  • derive 50 percent or more of annual revenues from selling consumers’ personal information

What Is Personal Information

The definition of personal information under AB 375 is expansive. It includes “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household….”  It also encompasses “inferences drawn from any [personal information] … to create a profile about a consumer .…”

Specific categories defined as personal information include

  • identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, Social Security number, driver’s license number or passport number
  • characteristics of protected classifications under California or federal law (such as race, gender, disability and others protected by antidiscrimination laws)
  • commercial information, including records of property; products or services provided, obtained, or considered; or other purchasing or consuming histories or tendencies
  • biometric information
  • internet or other electronic network activity information, including but not limited to browsing history, search history and information regarding a consumer’s interaction with a website, application or advertisement
  • geolocation data
  • audio, electronic, visual, thermal, olfactory or similar information
  • professional or employment-related information
  • education information

Personal information does not include information that is publicly available or that is aggregate or deidentified (“information that cannot reasonably identify … a particular consumer”).  “Publicly available” is narrowly defined in AB 375 to mean essentially only records of federal, state or local government that is used in a manner compatible with the purpose for which the records are maintained.

The inclusion of inferences drawn from any personal information could greatly expand the scope beyond what is enumerated above. The terms “infer” and “inference” are defined as the derivation of information, data, assumptions or conclusions from facts, evidence or another source of information or data. Additionally, there is a category of personal information that includes profiles created from inferences derived from other types of personal information. For example, if geolocation data shows that a consumer regularly visits a particular place of business, it may be inferred that consumer is a patron of such a business. As such, this could affect not only data used for profiling but the profiles derived as well.

Obligations of Businesses Affected by AB 375

Privacy Policy Disclosures. Businesses must inform consumers of their rights under AB 375. Before a business can collect any personal information, the business must inform the consumer of the categories of information it will collect and the purpose for which it will be used, including whether the information may be sold to third parties. Additionally, businesses must generally post an online privacy policy that provides (1) a description of consumers’ right to know, right to equal service and price, (2) methods for submitting requests pursuant to their right to know and (3) a list of the categories of personal information about consumers it has collected, sold or disclosed in the past 12 months, or the fact that it has not sold or disclosed any personal information. Businesses that sell personal information must provide a clear and conspicuous link on their homepage entitled “Do Not Sell My Personal Information” and allow consumers to elect not to have their personal information sold to third parties.

Under AB 375, businesses must comply with the following basic requirements: (1) If asked, inform consumers what personal information is being collected about them, and to whom it is being sold or disclosed; (2) if asked, stop the sale of personal information; (3) if asked, delete personal information; and (4) provide equal service and price even if consumers exercise their privacy rights. Third parties that purchase a consumer’s personal information are not allowed to sell it to other third parties or disclose that information without complying with these provisions of AB 375.

Right to Know. If requested by consumers, business have 45 days (subject to a possible limited extension) to provide consumers with the following, for 12 months preceding the request:

(a) the categories of personal information it has collected, sold or disclosed for a business purpose

(b) the categories of sources from which the information is collected

(c) the business purpose for collecting or selling the information

(d) the categories of third parties to whom the business sold or disclosed personal information for a business purpose

(e) the specific pieces of information it has collected about the consumer (which could be construed as broader than information collected from the consumer)

The company must provide two or more methods for effectuating a request, including at least a toll-free telephone number and a website address, if applicable. A consumer may request this information twice in a 12-month period. In addition, the business must ensure that all individuals responsible for handling requests and compliance with AB 375 are educated about relevant aspects of the bill and how to direct consumers to exercise their rights under these sections.

While “selling” of personal information is defined broadly, there are several enumerated activities AB 375 explicitly defines as not constituting the sale of personal information. One such activity is when the business uses or shares personal information with a service provider, if (1) it is necessary for the services the provider performs for the business and (2) the provider does not sell the personal information.

Under this exception, “service provider” is defined as an entity that processes information on behalf of a business and receives personal information from the business pursuant to a contract. The contract must disallow the service provider from using the personal information for any purpose other than the specific purpose of performing services specific to the contract or as otherwise permitted by AB 375.

“Third party” excludes a person to whom the business discloses a consumer’s personal information for a business purpose pursuant to a contract, provided the contract (1) prohibits the person from selling or using the personal information for purposes other than providing the services in the contract and (2) includes certifications that the person receiving the personal information for performance of the contract understands the restrictions in (1).

“Business purpose” is defined as the use of personal information for the business’ operational purposes if the use is reasonably necessary to achieve the operational purpose for which the personal information was collected. “Business purpose” may include auditing related to interactions with the customer; performing services on behalf of the business, such as processing payments, providing financing, providing advertising or marketing services, or providing analytic services; and undertaking internal research for technological development and demonstration. However, “business purposes” do not include using information “to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction, including but not limited to the contextual customization of ads shown as part of the same interaction.”

The 45-day period to respond to a consumer request can be extended by up to 90 additional days, but the business still must inform the customer of the extension of time within 45 days of receiving the request and provide a reason for the delay.

Right to Prevent or “Opt Out” of the Sale of Personal Information. AB 375 gives consumers “the right to opt out.” This right requires businesses that sell personal information to provide the link on their homepage described above and allows consumers to elect not to have their personal information sold to third parties. If a consumer has opted out, businesses must wait at least 12 months before requesting authorization from the consumer to sell their personal information again.

Businesses cannot sell personal information of a consumer who is under the age of 16 unless the consumer affirmatively opts in to the sale of his or her information. Additionally, consumers under the age of 13 must have their parents authorize their opting in.

Right to Delete Personal Information. The bill allows consumers to have a business delete any personal information the business has collected “from the consumer.” (It is not clear whether information “inferred” about the consumer would be covered by this right of deletion, but the reference to the data collected from the consumer suggests otherwise.) However, a business is not required to delete personal information under certain circumstances, such as if the information is necessary to complete a transaction, protect against malicious activity, exercise free speech or use internally in a manner that is “reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business” or “compatible with the context in which the information was provided.” California Senate analysis of AB 375 states that it is possible that future regulations would provide guidance concerning the effect of free speech on consumers’ right to delete personal information.

Right to Equal Service and Price. Businesses cannot discriminate against consumers who exercise any of their rights under AB 375. Businesses are forbidden from denying consumers goods or services, charging them different prices, providing them different levels or quality of service or goods or even suggesting to them that it will do so. However, businesses may offer different levels or prices of services or goods to consumers if the difference in service is directly related to the value the consumer’s data provides to the consumer. For example, this may mean that an app that needs certain personal information to operate most efficiently would be allowable. The company may also offer financial incentives to consumers for the collection or sale of personal data. This may allow companies to set different subscription models based on whether consumers opt in or opt out.

Other Provisions Related to Obligations Under AB 375. A business must implement technical and business process safeguards that prohibit reidentification of “deidentified” personal information. The company must also make no attempt to reidentify the information and implement processes that specifically prohibit reidentification. Finally, it must have processes in place to prevent inadvertent release of deidentified information.

AB 375 obligations do not restrict a business’s ability to comply with other laws or legal inquiries, cooperate with law enforcement, or exercise or defend legal claims. It will also not interfere with the business’s collection, sale or disclosure of deidentified information or aggregate consumer information (“information that relates to a group or category of consumers from which individual consumer identities have been removed”). Finally, it will not restrict the ability of businesses to collect or sell personal information if all parts of the collection and sale take place outside of California.

Interaction With Other Privacy Laws. The law supplements existing federal and state protections and does not apply in the event of a conflict with federal law. AB 375 does not apply to protected or health information that is collected by a covered entity governed by the Confidentiality of Medical Information Act or the notification rules issued by the Department of Health and Human Services made pursuant to the Health Insurance Portability and Availability [sic] Act. (The citation makes clear that AB 375 intended to refer to HIPAA, the federal Health Insurance Portability and Accountability Act.)

AB 375 does not apply to the sale of personal information to or from a consumer reporting agency if the information is to generate a consumer report.

AB 375 does not apply to personal information collected or sold pursuant to the Gramm-Leach-Bliley Act and associated regulations “if it is in conflict with that act.”

AB 375 supersedes and preempts all other rules, regulations, codes, ordinances, and other laws adopted by local governments regarding the collection and sale of consumers’ personal information by a business. The law is designed to supplement existing state and federal law but will not apply if it conflicts with federal law or the California Constitution.

AB 375 cannot be waived or limited by any contract or agreement, as such waivers are declared void as against public policy.

Enforcement

Private Right of Action for Data Breach. AB 375 provides a limited private right of action for data breach only, unlike the initiative, which had a much larger scope. If a business fails to maintain reasonable security procedures, and as a result, consumers’ nonecrypted or nonredacted personal information (defined narrowly here as Social Security number, driver’s license number, personal account numbers/access codes, medical or insurance information, or a username and password/security question combination) is subject to unauthorized access and exfiltration, theft or disclosure, AB 375 allows for a private right of action.

Significantly, AB 375 provides that consumers may recover between $100 and $750 per incident or actual damages, whichever is greater. These damages could be enormous in the case of a large-scale data breach. Moreover, this statutory damage provision could undermine defendants’ arguments that challenge constitutional standing. A court may also provide injunctive, declaratory relief or other relief that the court deems proper. However, AB 375 imposes significant limitations on consumers’ exercise of this private right. The bill would disallow consumers from using it as a basis for bringing claims under the California Unfair Competition Law or any other law. Consumers must provide businesses a 30-day notice of the violation before filing suit, and if the business cures the violation within this period, they may not pursue statutory damages.

Furthermore, consumers must notify the Attorney General of the action within 30 days of filing (though there appears to be an obvious glitch in the text here referring to a nonexistent section of the bill). The Attorney General, in turn, may order consumers not to proceed with the action.

Even though narrowed from the ballot initiative, this new private right of action goes much further than the existing California Data Breach Notification Law. The existing law allows consumers actual damages only for untimely or improper notification of a data breach.

Only Regulatory Enforcement for Privacy Violations. The Attorney General is tasked with overall enforcement and will have a special pot of resources to do so, funded by 20 percent of the fines it collects under the act.

Significantly, businesses would receive notice and have 30 days to cure a noncompliance with AB 375; thereafter, the Attorney General may pursue a civil action against the company. Statutory damages for violations may be up to $7,500 for each violation — which again could be enormous in the case of a large data breach.

Regulations. The Attorney General may promulgate regulations in furtherance of AB 375, such as expanding the categories of personal information, establishing rules to govern opt-out requests, updating the notice requirements or “additional regulations as necessary to further the purpose of [AB 375].”

AB 375 expressly provides that “[n]othing in this act shall be interpreted to serve as the basis for a private right of action under any other law.” This would appear to eliminate consumers’ ability to bring claims for violations of AB 375 under other statutes such as California’s Unfair Competition Law, Business and Professions Code Section 17200, and so on.

The bill also specifies that it shall be “liberally construed to effectuate its purpose.”

Next Steps

AB 375 directs the Attorney General to promulgate regulations, which will no doubt draw significant public participation.

On a practical level, much as in preparing for the GDPR, AB 375 will also require companies to

  • ensure compliant privacy policy amendments are made
  • engineer systems to allow the exercise of these new rights
  • further develop their privacy compliance programs in light of the increased penalties for noncompliance

This new California privacy regime was enacted with lightning speed and without meaningful opportunity for hearings and stakeholder input. It could inhibit the development or deployment of new technologies and benefits for consumers, including big data, artificial intelligence, internet of things, blockchain and financial products.

It will certainly have significant effects in other states and on interstate commerce and may thus prompt challenges under the federal Constitution’s dormant commerce clause. In addition, the new law’s prodigious and burdensome disclosure and deletion obligations may raise serious issues regarding free speech and takings clause rights protected under the Constitution. Specifically, in Sorrell v. IMS Health Inc., 564 U.S. 552 (2011), the U.S. Supreme Court recognized that businesses have First Amendment rights in data processing: “Speech in aid of … marketing … is a form of expression protected by the Free Speech Clause of the First Amendment.”

There can be no doubt that the coming months will bring forth legislative and litigation challenges galore to determine whether California has in AB 375 adopted an acceptable or an excessive new privacy regime for its own residents and perhaps the country.

Edward R. McNicholas

emcnicholas@sidley.com

Cameron F. Kerry

ckerry@sidley.com

Michael Mallow

mmallow@sidley.com

Amy P. Lally

Century City

alally@sidley.com

Christopher Fonzone

cfonzone@sidley.com

Ash Nagdev

Palo Alto

anagdev@sidley.com

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Alan Charles Raul

Washington, D.C., New York

araul@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.

New EU Cyber Law for the Financial Services Industry with Significant Impact on ICT Service Providers

The new EU Regulation on Digital Operational Resilience for the Financial Sector (DORA) recently entered into force. DORA establishes cybersecurity requirements for information and communication technology (ICT) systems supporting the business processes of financial entities and represents a paradigm shift for the ICT sector.  Critical ICT third-party service providers, who are providing services to regulated financial entities, will also be directly regulated under DORA and subject to regulatory supervision by a regulator to be established under DORA (a so-called ‘Lead Overseer’).