TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | California passes landmark privacy legislation Related reading: Tech companies pledge not to oppose Calif. privacy bill



In a last-minute action, just a few hours before a looming deadline Thursday afternoon, the California legislature passed AB 375, the California Consumer Privacy Act of 2018. As a result of its passage, Alastair Mactaggart, the man behind a November ballot initiative to pass a similar law, has agreed to pull his bill from the ballot.

In a news conference held to celebrate the bill’s passage and signature by Gov. Jerry Brown, Assemblymember Ed Chau, who leads the California Assembly’s Privacy Committee, called the bill a “historic step” for California consumers, “giving them control over their personal data.” The law, he said, “forges a path forward to lead the nation once again on privacy and consumer protection issues.”

California State Senator Bob Hertzberg was downright ebullient in striking a tone of victory: “This is a huge step forward for California,” he said, “for consumers all across the country.”

Mactaggart, who Hertzberg compared to Nelson Mandela and Mahatma Gandhi, chuckled in saying it’s “not every day you see a law made so quickly.” Indeed, he said, not more than a month ago he was convinced the ballot initiative was the only way the privacy law could be made reality. Instead, the legislature engaged only a week ago and quickly passed this sweeping legislation that brings into being significant new privacy rights for consumers.

“We have achieved a significant accomplishment,” Mactaggart said. “This is the strictest privacy bill in the history of the country.”

Assuming the law is not amended before it comes into force on January 1, 2020, the California Consumer Privacy Act would make it so:

• Consumers have the ability to request a record of what types of data an organization holds about them, plus information about what's being done with their data in terms of both business use and third-party sharing. 

• Businesses will have to have a verification process so consumers can prove they are who they say they are when they do their requesting. 

• Consumers have a full right to erasure, with carve-outs for completion of a transaction, research, free speech, and some internal analytical use. 

• Organizations will have to disclose to whom they sell data, and consumers will have the ability to object to the sale of their data. Businesses will have to put a special "Do Not Sell My Personal Information" button on their web sites to make it easy for consumers to object. 

• Sale of children's data will require express opt in, either by the child, if between ages 13 and 16, or by the parent if younger than that. 

• Organizations cannot "discriminate against a consumer" based on the exercising of any of the rights granted in the bill. For example, you can't provide a different level or quality of service based on a consumer objecting to the sale of their data. However, organizations could offer higher tiers of service or product in exchange for more data as long as they're not "unjust" or "usurious."

• A covered "business" is defined as any for-profit entity that either does $25 million in annual revenue; holds the personal data of 50,000 people, households, or devices; or does at least half of its revenue in the sale of personal data.

• The law would be enforced by the Attorney General and create a private right of action for unauthorized access to a consumer's "nonencrypted or nonredacted personal information." Failure to address an alleged violation within 30 days could lead to a $7,500 fine per violation (which could be per record in the database, for example).

• Finally, the law protects any "consumer," defined as a "natural person who is a California resident," which is defined as "(1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose."

Asked if companies are likely to begin compliance now or wait until 2020, Hertzberg said he thinks the bill “sets a tone … Even though it will be delayed in implementation, you will have an impact just by the virtue of its existence.”

And what about talk that the legislature may make some adjustments to the law between now and 2020?

Chau said, “I think one thing we’re looking at is the private right of action, and secondarily, the AG may have some issues that we need to fine tune, so those are the most immediate issues. And there may be some technical clean up work. The intent is to sit down and work with stakeholders to figure out which issues need to be resolved first. Based on that we’ll take action. 

But no promises.”

Editor's note, posted morning of June 29, 12 hours after publication: During the remarks captured here in the press conference, Mactaggart opened by thanking particularly Nicole Ozer, technology and civil liberties director for the ACLU of California, for her work in helping to craft AB375. Later that night, Ozer released this statement: "Concern for privacy is at an all-time high in the aftermath of the Cambridge Analytica scandal, and yet California has enacted a law that utterly fails to provide the privacy protections the public has demanded and deserves. Nobody should be fooled to think AB 375 properly protects Californians’ privacy.

"This measure was hastily drafted and needs to be fixed. When that happens next year, effective privacy protections must be included that actually protect against rampant misuse of personal information, make sure that companies cannot retaliate against Californians who exercise their privacy rights, and ensure that Californians can actually enforce their personal privacy rights.

The California legislature needs to pay heed to the public’s need and desire for proper privacy protections. Millions of Californians depend on it.”


If you want to comment on this post, you need to login.

  • comment Alex Krylov • Jun 28, 2018
    A European approach to privacy closer in the US thanks to Cali? Sure seems like it. Appears to be a natural evolution of existing protections rather than a revolution.
  • comment Margaret Reetz • Jun 29, 2018
    What is the per violation fine provision?  (Which section: sec. 1798.150(a) says a consumer whose non encrypted or nonredacted PI is subject to unauthorized access/theft as a result of failure to implement security procedures may file a civil action for (A) to recover damages not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater)
  • comment Robert Doherty • Jun 29, 2018
    Great news for consumers, and because of California's vast ties globally, essentially any business doing business in California that meets the threshold ( e.g.. large social media operations) will have to meet the requirements of the law.  It won't be long before GDPR like requirements will sweep North American jurisdictions and that will force companies to abide by  stricter privacy rules.
    Bob Doherty
  • comment Richard Santalesa • Jul 10, 2018
    Another misbegotten hastily-drafted law that won't have the intended results hoped and will thwart the growth of SMBs. Good work CA.
  • comment Sam • Jul 13, 2018
    Hi Margaret - I'm going by this piece under the AG's powers:
    1798.155. Any business or third party may seek the opinion of the Attorney General for guidance on how to comply with the provisions of this title.
    (a) A business shall be in violation of this title if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance. Any business, service provider, or other person that violates this title shall be liable for a civil penalty as provided in Section 17206 of the Business and Professions Code in a civil action brought in the name of the people of the State of California by the Attorney General. The civil penalties provided for in this section shall be exclusively assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.
    (b) Notwithstanding Section 17206 of the Business and Professions Code, any person, business, or service provider that intentionally violates this title may be liable for a civil penalty of up to seven thousand five hundred dollars ($7,500) for each violation.