In a last-minute action, just a few hours before a looming deadline Thursday afternoon, the California legislature passed AB 375, the California Consumer Privacy Act of 2018. As a result of its passage, Alastair Mactaggart, the man behind a November ballot initiative to pass a similar law, has agreed to pull his bill from the ballot.
In a news conference held to celebrate the bill’s passage and signature by Gov. Jerry Brown, Assemblymember Ed Chau, who leads the California Assembly’s Privacy Committee, called the bill a “historic step” for California consumers, “giving them control over their personal data.” The law, he said, “forges a path forward to lead the nation once again on privacy and consumer protection issues.”
California State Senator Bob Hertzberg was downright ebullient in striking a tone of victory: “This is a huge step forward for California,” he said, “for consumers all across the country.”
Mactaggart, who Hertzberg compared to Nelson Mandela and Mahatma Gandhi, chuckled in saying it’s “not every day you see a law made so quickly.” Indeed, he said, not more than a month ago he was convinced the ballot initiative was the only way the privacy law could be made reality. Instead, the legislature engaged only a week ago and quickly passed this sweeping legislation that brings into being significant new privacy rights for consumers.
“We have achieved a significant accomplishment,” Mactaggart said. “This is the strictest privacy bill in the history of the country.”
Assuming the law is not amended before it comes into force on January 1, 2020, the California Consumer Privacy Act would make it so:
• Consumers have the ability to request a record of what types of data an organization holds about them, plus information about what's being done with their data in terms of both business use and third-party sharing.
• Businesses will have to have a verification process so consumers can prove they are who they say they are when they do their requesting.
• Consumers have a full right to erasure, with carve-outs for completion of a transaction, research, free speech, and some internal analytical use.
• Organizations will have to disclose to whom they sell data, and consumers will have the ability to object to the sale of their data. Businesses will have to put a special "Do Not Sell My Personal Information" button on their web sites to make it easy for consumers to object.
• Sale of children's data will require express opt in, either by the child, if between ages 13 and 16, or by the parent if younger than that.
• Organizations cannot "discriminate against a consumer" based on the exercising of any of the rights granted in the bill. For example, you can't provide a different level or quality of service based on a consumer objecting to the sale of their data. However, organizations could offer higher tiers of service or product in exchange for more data as long as they're not "unjust" or "usurious."
• A covered "business" is defined as any for-profit entity that either does $25 million in annual revenue; holds the personal data of 50,000 people, households, or devices; or does at least half of its revenue in the sale of personal data.
• The law would be enforced by the Attorney General and create a private right of action for unauthorized access to a consumer's "nonencrypted or nonredacted personal information." Failure to address an alleged violation within 30 days could lead to a $7,500 fine per violation (which could be per record in the database, for example).
• Finally, the law protects any "consumer," defined as a "natural person who is a California resident," which is defined as "(1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose."
Asked if companies are likely to begin compliance now or wait until 2020, Hertzberg said he thinks the bill “sets a tone … Even though it will be delayed in implementation, you will have an impact just by the virtue of its existence.”
And what about talk that the legislature may make some adjustments to the law between now and 2020?
Chau said, “I think one thing we’re looking at is the private right of action, and secondarily, the AG may have some issues that we need to fine tune, so those are the most immediate issues. And there may be some technical clean up work. The intent is to sit down and work with stakeholders to figure out which issues need to be resolved first. Based on that we’ll take action.
But no promises.”
Editor's note, posted morning of June 29, 12 hours after publication: During the remarks captured here in the press conference, Mactaggart opened by thanking particularly Nicole Ozer, technology and civil liberties director for the ACLU of California, for her work in helping to craft AB375. Later that night, Ozer released this statement: "Concern for privacy is at an all-time high in the aftermath of the Cambridge Analytica scandal, and yet California has enacted a law that utterly fails to provide the privacy protections the public has demanded and deserves. Nobody should be fooled to think AB 375 properly protects Californians’ privacy.
"This measure was hastily drafted and needs to be fixed. When that happens next year, effective privacy protections must be included that actually protect against rampant misuse of personal information, make sure that companies cannot retaliate against Californians who exercise their privacy rights, and ensure that Californians can actually enforce their personal privacy rights.
The California legislature needs to pay heed to the public’s need and desire for proper privacy protections. Millions of Californians depend on it.”