This afternoon, Governor Brown signed into law California Assembly Bill 375, the California Consumer Privacy Act of 2018. The law is unprecedented in the United States that it applies European-level compliance obligations akin to the now infamous General Data Protection Regulation (GDPR), which took effect only a month ago. How did this happen? California legislators rushed a bill through to avoid a ballot initiative proposed by Alastair Mactaggart. Mactaggart agreed to withdraw the initiative if a law was signed by the Governor by today. The law takes effect on January 1, 2020. (And if you think that’s a long time, then you did not just live through the last 18 months working on GDPR preparedness.) What does AB 375 mean for organizations doing business in California? It includes new disclosure requirements, consumer rights, training obligations, and potential penalties for noncompliance, among other things.
Below are some of the key provisions:
- Right to Transparency – Similar to the GDPR, the law creates a right to transparency regarding personal information. The law defines personal information very broadly, also like the EU definition, to include information that identifies, relates to, describes, is capable of being associated with, or could reasonable be linked, directly or indirectly with a particular consumer or household. Relevant examples of personal information include unique personal identifier, online identifier, Internet Protocol address, internet or other electronic network activity information (including browsing history, search history, and information regarding a consumer’s interaction with an internet Web site, application, or advertisements), geolocation data, and inferences drawn from any information identified in this subdivision to create a profile. The law requires a business to inform consumers as to the categories of personal information to be collected and the purposes for which the categories shall be used. In addition, the business must disclose the consumer’s right to request deletion, that personal information may be sold, and that consumers have the right to opt out of the sale.
- Access Right – The law provides consumers with the right to request that a business disclose to the consumer the categories and specific pieces of personal information that the business has collected. Upon the request, the business must disclose: (1) the categories of personal information it has collected about that consumer; (2) the categories of sources from which the personal information is collected; (3) the business or commercial purpose for collecting or selling personal information; (4) the categories of third parties with whom the business shares personal information; and (5) the specific pieces of personal information it has collected about the consumer. While this right is similar to the access right under the GDPR, it also adds specific requirements regarding the sale of personal information.
- Data Portability Right – The law provides consumers with the right to obtain their personal information in a portable and, to the extent technically feasible, in a readily useable format that allows the consumer to transmit the information to another entity without hindrance. Again, this right is similar to the right under the GDPR.
- Deletion Right – The law provides consumers with a right to request that a business delete any personal information which the business has collected from the consumer. Note that the deletion right relates to personal information “the business has collected from the consumer” while the access right relates to personal information “the business has collected.” The deletion right is subject to specific exceptions set forth in 1798.105(d). Again, this right is similar to the right under the GDPR.
- Data Sale/Disclosure Right – This right is not provided by the GDPR. The law provides consumers with the right to request that a business that sells the consumer’s personal information or discloses it for business purposes, disclose: (1) the categories of personal information that the business collected about the consumer; (2) the categories of personal information that the business sold about the consumer and the categories of third parties to whom the personal data was sold, by category or categories of personal information for each third party to whom the personal information was sold; and (3) the categories of personal information that the business disclosed about the consumer for a business purpose. Note that the law creates separate rights regarding personal information sold and personal information disclosed for business purposes.
The term “sell” is broadly defined to include selling, renting, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumers’ personal information by the business to another business or a third party for monetary or other valuable consideration. There is a carve out that sell does not include when a consumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party, provided that the third party does not also sell the personal information; however, the law specifies that hovering over, muting, pausing, or closing a given piece of content does not constitute a consumers’ intent to interact with a third party.
The term “business purpose” means the use of personal information for the business’ or a service provider’s operational purposes, or other notified purposes, including auditing, detecting security incidents, debugging, short term transient use (including contextual customization of ads shown as part of the same interaction), performing services on behalf of the business or service provider (including providing analytic services), undertaking internal research, and safety.
The distinction between sell and disclosure for business purpose is important because it impacts the opt-out right discussed below.
- Right to Opt-Out – A consumer shall have the right at any time to direct a business that sells personal information about the consumer to third parties not to sell the consumers’ personal information. The third party also has obligations – a third party shall not sell personal information about a consumer that has been sold to the third party by a business unless the consumer has receive explicit notice and is provided an opportunity to exercise the right to opt out. 1798.115(d) The business may request opt-in after 12 months.
- Right to Opt-in for Children under 16 – A business needs opt-in consent to sell the personal information of a consumer where it has actual knowledge the consumer is under 16. The opt-in consent must come from the consumer if between 13 and 16. The opt-in consent must come from the parent if under 13.
- Deidentified or Aggregate Consumer Information – The law provides an exception that it shall not restrict a business’s ability to collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information.
- Financial Incentives– Another key difference between the GDPR and AB 375 is that under AB 375 a business may offer financial incentives for the collection, sale, and deletion of personal information. The business shall notify consumers about the financial incentives and obtain opt-in consent. The business shall not discriminate against consumers that do not opt-in or who exercise their rights.
- Violations – There is no private right of action (except in connection with a security breach, which is narrowly defined). The State AG may bring actions for civil penalties of up to $7,500 per violation.