A U.S. GDPR? Not Even Close  

At the end of June, California enacted a new data privacy regime that some are comparing to the European Union’s recently operative General Data Privacy Regulation (GDPR). The statute will not take effect until January 1, 2020, but when it does, it may serve as a de facto U.S. national data privacy statute in the absence of federal action given the size of California’s economy and population. Yet, as enacted, the new statute may only provide marginal privacy benefits for consumers while potentially imposing significant new compliance burdens on entities doing business in California.

Large multi-nationals may find it easier to operate according to the new California standard throughout the U.S., as opposed to tailoring their data privacy approaches to each individual state. Moreover, other “blue” states may follow suit (e.g. Massachusetts, Maryland, Illinois, etc.) and enact similar data privacy standards, or, should the Democrats control Congress next year, this legislation could be a model for a federal statute.

Given reports that technology companies, in particular, may try to further change the new statute, it may be wise to understand how the measure works, aside and apart from the hype of it possibly being the U.S. equivalent of the EU’s GDPR.

Background

Simply put, a ballot initiative forced action in California because of the nature of the process. Generally, legislation passed by ballot initiative cannot be subsequently amended by the legislature. However, a 2014 change to the ballot initiative process (i.e. SB 1253) introduced a process by which the California legislature could negotiate with ballot initiative backers on legislation in lieu of a ballot initiative, which generally can only be changed by further ballot initiatives. Consequently, the new bill was crafted “following a week of tense, behind-the-scenes negotiations and a deal between tech companies and privacy rights advocates.” Consequently, some have articulated their concerns about the process of enactment and how well the law is crafted.

The ballot initiative campaign that forced legislative action was financed and headed by Alastair Mactaggart, a real-estate developer from San Francisco. The initiative, known as the California Consumer Privacy Act, had succeeded in getting “The Consumer Right to Privacy Act of 2018” on the ballot for this fall and would have done the following:

Gives consumers right to learn categories of personal information that businesses collect, sell, or disclose about them, and to whom information is sold or disclosed. Gives consumers right to prevent businesses from selling or disclosing their personal information. Prohibits businesses from discriminating against consumers who exercise these rights. Allows consumers to sue businesses for security breaches of consumers’ data, even if consumers cannot prove injury. Allows for enforcement by consumers, whistleblowers, or public agencies. Imposes civil penalties. Applies to online and brick-and-mortar businesses that meet specific criteria.

The initiative claimed that “[p]roviding information to a company is not the same as making it available to the public generally, and you have a reasonable expectation that businesses will respect your privacy and take reasonable precautions to safeguard your personal information.” Some may make the case that the savvy consumer should understand that using free apps and services means surrendering sensitive private information not only to the vendor, but also to other entities in the personal data ecosystem. However, this may be a stretch as the average consumer likely has little conception of what happens to her geolocation data, for example, on her iPhone.

It bears note that California has passed legislation before to address the issues posed by collection and distribution of consumer data. In 2003, California enacted the “Shine the Light” bill, which was supposed to have provided “consumers with the right to request information on the types of information shared for marketing purposes, and the parties with whom it was shared,” according to a legislative analysis. Other statutes intended to provide greater privacy protection have also been enacted, such as the “California Online Privacy Protection Act.” However, there have been doubts raised as to whether businesses have complied with these laws, and the landscape for consumer data privacy has shifted radically with the proliferation of smartphones and Internet of Things (IoT) devices.

While the new statute is more modest in scope than the ballot initiative, it is broader than any other state or federal statute currently enacted. In short, any company seeking to collect, use, share, or sell the personal information of Californians may need to acquire more detailed consent from consumers subject to some exceptions. Additionally, consumers may have greater say over how and when their information is shared and used, including a detailed history of how it’s been used. Moreover, the bill creates a new, modest private right of action for consumers in the event of a data breach. Also, it is important to keep in mind, that there are other similar limitations in the new statute that will likely result in a more modest impact than what the EU will see with its GDPR.

How the new California Statute Will Operate

The bill builds on the “right of privacy” as enshrined in California’s constitution, and the California legislature intends that the “California Consumer Privacy Act of 2018” should accomplish the following “by giving consumers an effective way to control their personal information:”

(1) The right of Californians to know what personal information is being collected about them.

(2) The right of Californians to know whether their personal information is sold or disclosed and to whom.

(3) The right of Californians to say no to the sale of personal information.

(4) The right of Californians to access their personal information.

(5) The right of Californians to equal service and price, even if they exercise their privacy rights.

Yet, the statute is much narrower than some are claiming. Firstly, it applies to a limited number of businesses. For purposes of this statute, a business collecting and sharing personal information must meet one or more of the following requirements before they are subject to A.B.375:

(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.

(B) Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.

(C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

One can reasonably envision larger companies being subject on the basis of gross revenues or the use of the personal information of 50,000 or more Californians per year. Yet, the third threshold requirement would seem aimed at data brokers or app developers that derive the lion’s share of their revenue from selling personal information. However, it bears note that this third prong attaches only if the information is sold. However, if a business derives 50 percent or more of its information by sharing or trading information, then they would not need to comply with this new law. Therefore, it would then stand to reason that unless one of the other two prongs attached, then these entities would not be subject to the new statute.

Yet, parent companies of entities operating in California may be subject. The statute makes clear that “[a]ny entity that controls or is controlled by a business [that satisfies one of the three thresholds] and that shares common branding with the business” will be subject to the new statute. The new law further defines “control” or “controlled” as “ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company.

Under the bill, “[p]ersonal information” means “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This term includes many types of information that could reasonably be linked to a person such as: “a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers” and other information of the like. However, this term excludes “information that is lawfully made available from federal, state, or local government records.”

In terms of new consumer rights, California residents will be able to ask most businesses collecting their personal information to “disclose to that consumer the categories and specific pieces of personal information the business has collected.” However, businesses may wait until they receive a “verifiable request.”

While Californians may request that businesses delete the personal information that they have “collected from the consumer,” there are a number of exceptions. For example, businesses do not have to honor a request to delete personal information if it “is necessary for the business or service provider to maintain the consumer’s personal information” to achieve a number of business purposes, such as “[d]etect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.” Presumably, any halfway competent attorney could make the case that a business needs to deny deletion requests in order to foster cybersecurity. Two other seemingly very broad exceptions include:

To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business…

Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.

So, on the one hand, the California legislature is giving Californians the right to request that businesses collecting their personal information delete this information, but then, on the other hand, legislators have so limited this new right with exceptions that may function contrary to the avowed purpose of the new statute.

Residents of California shall have the right to request and receive the “specific pieces of personal information” businesses have collected. However, one wonders how businesses will need to respond to these requests. In which form will consumers receive this information? Electronically or on paper? On a spreadsheet or a pdf? In a form that is easily searchable or not? California’s attorney general will have the ability to promulgate regulations, so perhaps these are the sorts of details that will be determined through the administrative process.

Also, contrary to many reports, consumers will not know to whom exactly businesses sell or disclose their personal information. Rather, with respect to personal information sold, Californians will be permitted to request only the “categories of personal information” and the “categories of third parties.” Even less information would be available in terms of disclosed information: only the categories of personal information. Consequently, company A would only need to tell consumers who request about categories of third parties and not specific companies. So, instead of a business telling a consumer the exact information (e.g. geolocation data on May 27, 2021) sold to a specific data broker, the business only has to explain that it has sold geolocation data generally to data brokers.

Additionally, going forward, businesses subject to the new law must merely “inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used” “at or before the point of collection.” No consent is required, but businesses must “[p]rovide a clear and conspicuous link on the business’ Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt out of the sale of the consumer’s personal information.  However, this opting out is effective for only 12 months at a time and doesn’t pertain to disclosed or shared information.

Another wrinkle is that the statute carves out those data collection activities subject to other statutes, mainly federal data security regimes like the “Health Insurance Portability and Availability Act of 1996,” (HIPAA), “Gramm-Leach-Bliley,” and other federal statutes and regulations pertaining to data security to the extent there is no conflict with the federal regimes. However, it remains to be seen how precisely the new statute does not conflict with these federal data security regimes and is therefore binding on healthcare entities and financial services entities. Additionally, the bill “shall not restrict a business’s ability to…[c]ollect or sell a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California.”

With respect to the new civil action Californians may bring against businesses in the event of certain data breaches, a person may ask a court for $100 to $750 “per incident or actual damages, whichever is greater” “injunctive or declaratory relief” or “[a]ny other relief the court deems proper.” However, before suit may be filed, businesses must be given 30 days notice by the consumer in order to be able to “actually cure[]” a data breach by spelling out the specific sections of the statute that have been allegedly violated. However, this section does not spell out what a “actual[] cure” would be. Nonetheless, if the violation is not actually cured, then the suit may proceed.

There may be an opportunity for greater clarity because “[o]n or before January 1, 2020, the Attorney General shall solicit broad public participation to adopt regulations to further the purposes of this title.” Of course, while the attorney general’s regulations would not be able to adopt standards contrary to the new law, there may be opportunities to define and interpret the statute. Additionally, the California legislature may revisit the statute given the rushed process that may have lead to some poorly designed or thought out provisions.

Conclusion

There is still much to be determined about how this statute will operate. There may be guidance materials developed to clear up some ambiguities, and future California legislation and litigation will likely reveal the operative contours for businesses with a presence in California. As noted earlier, this could be a model statute for other states because the technology sector was an active participant in the negotiations leading up to the enactment of the bill and may therefore be willing to let other states follow suit.

The views expressed are the author’s alone and do not reflect the views of his clients nor his firm. 

Photo by Dan Kitwood/Getty Images

 

About the Author(s)

Michael Kans

Principal at Williams & Jensen and focuses on technology, cybersecurity, transportation, defense, appropriations and healthcare issues; previously worked for Rep. Charles Gonzalez (D-TX) and handled press and issues pertaining to tax, budget and the judiciary. Follow him on Twitter (@Michael_Kans)