California Consumer Privacy Act
California Gov. Jerry Brown signed into law June 28, 2018, a landmark privacy bill that is being compared to the EU General Data Protection Regulation for its overarching approach and strong privacy protections as well as the potential impact it may have on businesses around the world.
Overview of the law
Though lawmakers and others are already discussing amending the law prior to its Jan. 1, 2020, effective date, as passed the law would make it so:
- Consumers have the ability to request a record of what types of data an organization holds about them, plus information about what’s being done with their data in terms of both business use and third-party sharing.
- Businesses will have to have a verification process so consumers can prove they are who they say they are when they do their requesting.
- Consumers have a full right to erasure, with carve-outs for completion of a transaction, research, free speech, and some internal analytical use.
- Organizations will have to disclose to whom they sell data, and consumers will have the ability to object to the sale of their data. Businesses will have to put a special “Do Not Sell My Personal Information” button on their web sites to make it easy for consumers to object.
- Sale of children’s data will require express opt in, either by the child, if between ages 13 and 16, or by the parent if younger than that.
- Organizations cannot “discriminate against a consumer” based on the exercising of any of the rights granted in the bill. For example, you can’t provide a different level or quality of service based on a consumer objecting to the sale of their data. However, organizations could offer higher tiers of service or product in exchange for more data as long as they’re not “unjust” or “usurious.”
- A covered “business” is defined as any for-profit entity that either does $25 million in annual revenue; holds the personal data of 50,000 people, households, or devices; or does at least half of its revenue in the sale of personal data.
- The law would be enforced by the Attorney General and create a private right of action for unauthorized access to a consumer’s “nonencrypted or nonredacted personal information.” Failure to address an alleged violation within 30 days could lead to a $7,500 fine per violation (which could be per record in the database, for example).
- Finally, the law protects any “consumer,” defined as a “natural person who is a California resident,” which is defined as “(1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose.”
Assembly Bill No. 375 CHAPTER 55 An act to add Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, relating to privacy. [ Approved by Governor June 28, 2018. Filed with Secretary of State June 28, 2018. ] LEGISLATIVE COUNSEL'S DIGEST AB 375, Chau. Privacy: personal information: businesses. The California Constitution grants a right of privacy. Existing law provides for the confidentiality of personal information in various contexts and r... Read More
Purchase Now (Free for IAPP members!) Originally broadcast: Tuesday, July 10, 2018 What exactly does the law call for? How is a “California resident” defined, and which organizations will be affected? What are the penalties for non-compliance, and does it provide for a private right of action? Join us for a virtual discussion featuring some of the best privacy law experts on the West Coast, and learn the answers to these questions and more while getting the chance to ask your own. You’ll hea... Read More
Broad data and business regulation, applicable worldwide As of January 1, 2020, companies around the world will have to comply with additional regulations related to processing of personal data of California residents. Pursuant to the California Consumer Privacy Act of 2018, companies have to observe restrictions on data monetization business models, accommodate rights to access, deletion, and porting of personal data, update their privacy policies and brace for additional penalties and liquida... Read More
Unraveling the latest in the data protection juggernaut: What does the California Consumer Privacy Act mean for employers?
With the May 25 effective date of the European Union’s General Data Protection Regulation barely in the rear-view mirror, California’s Governor Jerry Brown, on June 28 signed into law the California Consumer Privacy Act of 2018. The law flashed onto the scene after a concerned and wealthy California citizen funded, and obtained the approval of, a ballot initiative for a similar law to be placed on the November 2018 electoral ballot. The initiative’s backer used that approval as leverage in the w... Read More
CyberSideChat with Morrison Foersters’s Andrew Serwin, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM
How we got here
CaCPA came about largely due to the efforts of a San Francisco real estate mogul who endeavored to improve the protection of California consumers’ personal information. Alastair MacTaggart championed and funded an initiative to get a similar bill put on the ballot, receiving more than 600,000 signatures — significantly more than necessary (though they were never officially certified).
Just days before the signatures were to be certified, California Democrats made an agreement with Mactaggart that if they could get a compromise bill signed into law prior to the deadline to get the initiative on the ballot he’d pull his version. In Mactaggart’s words, the proposed bill is “substantially similar to our initiative … It gives more privacy protection in some areas, and less in others.”
For their part, tech industry giants — some of which spent lots of money to oppose Mactaggart’s ballot initiative — announced they would not attempt to block the compromise bill, noting that while they disagree with much of it, it prevents the ballot initiative from moving forward.
It came down to the wire, but just hours before the close of session on June 28, 2018, Gov. Brown signed CaCPA into law.
In a last-minute action, just a few hours before a looming deadline Thursday afternoon, the California legislature passed AB 375, the California Consumer Privacy Act of 2018. As a result of its passage, Alastair Mactaggart, the man behind a November ballot initiative to pass a similar law, has agreed to pull his bill from the ballot. In a news conference held to celebrate the bill’s passage and signature by Gov. Jerry Brown, Assemblymember Ed Chau, who leads the California Assembly’s Privacy Co... Read More
The Internet Association, a Silicon Valley lobbying group representing tech companies, such as Facebook, Amazon and Google, announced it will not oppose the internet privacy bill making its way through California’s legislature, MediaPost reports. While the Internet Association disagrees with aspects of the bill, the group prefers it to the law proposed by real estate mogul Alastair Mactaggart, who said he will withdraw his initiative if the current privacy legislation passes and is signed by Thu... Read More
The Los Angeles Times reports California Democrats have reached a tentative agreement with real estate mogul Alastair Mactaggart that would "enact major new consumer privacy rules in exchange for the withdrawal" of a robust privacy initiative that was set to go on the November ballot. According to the report, the deal is "contingent on legislation passing both houses and getting signed by Gov. Jerry Brown" before the June 28 deadline for the finalization of the November ballot. In a statement, M... Read More
A California ballot initiative currently gaining momentum through the legislative process has some saying it has the potential to cripple business across the U.S. and would have ramifications, unintended or not, far more reaching than the European Union's newly enacted and expansive data protection law, the General Data Protection Regulation. The proposal comes from an unlikely candidate: a real estate mogul based in San Francisco. Alastair Mactaggart was casually talking to an engineer at Goo... Read More
While there remain unknowns with the CaCPA, we do know it has the potential to affect millions of businesses worldwide.
The brand-new California Consumer Privacy Act of 2018, which swept through the California legislature last week with startling speed as a compromise measure preempting an even stricter ballot initiative, will apply to more than 500,000 U.S. companies, the vast majority of which are small- to medium-sized enterprises. These figures were derived by an IAPP examination of the language of the law as applied to U.S. census data about American businesses. The new act, which provides California resid... Read More
By Makaristos [Public domain], from Wikimedia Commons