California Passes Historic Online Privacy Law

The law is the first of its kind and may fundamentally change how Silicon Valley does business.

What You Need to Know

The bill was rushed through both houses to prevent a stricter initiative from being sent to the polls in November. That initiative was proposed by a San Francisco real estate developer named Alastair Mactaggart and garnered nearly twice the number of signatures needed to qualify for consideration on November’s ballot. It contained more requirements and broader penalties, and allowed consumers to sue companies in almost any situation where their privacy or security was compromised. Mactaggart agreed to withdraw his measure if lawmakers approved a watered-down version.

Thus, after years of sluggish progress on privacy reform, the Consumer Privacy Act was passed. The law ensures the following rights:

• The right to know the categories and specific pieces of personal information collected from consumers, the categories of sources from which the personal information is collected and the business purpose for collecting or sharing the personal information.
• The right to know whether personal information is sold or disclosed and the categories of third parties with whom personal information is shared.
• The right to object to the sale of personal information.
• The right to access personal information, including the right to request the deletion of personal information, subject to certain exceptions.
• The right to equal service and price, even when exercising privacy rights. Companies are allowed, however, to charge consumers different prices or provide different levels of services, if those differences are directly related to the value provided to the consumer by the consumer’s data. Additionally, companies can offer financial incentives for the collection/sale/deletion of personal information.

Furthermore, the law allows the Attorneys General to initiate enforcement actions. Fines can reach up to $7,500 per violation. Where personal information is subject to an unauthorized access and exfiltration, theft, or disclosure when a company fails to implement and maintain reasonable security practices, the law allows for a private right of action. When certain requirements are met, individual consumers may sue to recover damages between $100 and $750 per incident or actual damages, whichever is greater.

Many have noted the similarities between the California Consumer Privacy Act and the European Union’s recently implemented General Data Protection Regulation. While the rights contained in the new law mirror some sections of the GDPR, there are some notable differences. For instance, the California law does not set a deadline for notifying consumers of a data breach though California’s requirement that breaches be reported “without unreasonable delay” may be viewed as overlapping with the GDPR. Further, fines do not come close to the enormous fines for violations of the GDPR.

The California Consumer Privacy Act does not go into effect until January 1, 2020 and changes are anticipated as major tech companies and business interest groups will likely lobby to further dilute the bill. The California legislature is also expected to pass “cleanup bills” to make any necessary corrections to the law over the next 18 months, and, there is a possibility that federal privacy legislation will be enacted that would preempt this California law. Therefore, the law that comes into force in 2020 may be different from the bill that was just passed.