Overview of the California Consumer Privacy Act
California lawmakers passed new privacy legislation, the California Consumer Privacy Act of 2018, and made a step forward in creating one of the most significant regulations controlling the data-collection practices of technology companies.
After a series of failures to protect consumers’ data and a growing awareness of how technology companies exploit user information, it is not surprising that this legislation went from draft to law in just one week.
AB 375 was unanimously approved by the State Senate and Assembly and goes into effect in 2020. It will probably have a major impact on technology, media and entertainment companies, and could lead to other states passing similar laws.
As the first law of this kind in the United States, AB 375 aims to deliver transparency over personal data use, gives Californians more control over the information businesses gather on them and imposes new penalties for non-compliance.
AB 375 and GDPR
Over the next 17 months, many tech companies will have to meet AB 375’s requirements on the processing and protection of personal data, many of which are similar to the requirements under the EU General Data Protection Regulation, which went into effect in late May.
Both AB 735 and GDPR highlight the following:
- Transparency – Consumers have the right to know what personal information is being collected about them and for what purpose.
- Control over Selling Personal Information – Consumers have the right to know if their personal information is being sold or disclosed and to decide whether to opt out of the sale. Also, businesses cannot discriminate against customers who refuse to sell information.
- Access and Deletion – Consumers have the right to request a disclosure of the categories and specific pieces of personal information that have been collected. They can also request deletion of their personal data.
- Data Breach Liability – Personal data breaches are violations of both AB 375 and GDPR. Consumers can institute a civil action in this case.
What is the difference between GDPR and AB 375?
Even though the California Consumer Privacy Act mirrors the GDPR in many regards, there are significant differences between them. Many companies already worked towards meeting GDPR requirements, but they need to address the California Consumer Privacy Act separately. For example, AB 375 prescribes disclosures, communication channels and other concrete measures that are not required to comply with GDPR and contains a broader definition of personal data. It also establishes broad rights to access personal data without certain exceptions available under GDPR and imposes more rigid restrictions on data sharing for commercial purposes.
Impact of AB 375
Companies around the world will have to comply with the California Consumer Privacy Act if they receive personal data from California residents and exceed one of three thresholds:
- $25 million or more in gross annual revenue;
- Obtaining personal information of 50,000 or more California residents, households or devices annually; or
- 50% or more of their annual revenue coming from the sale of personal data.
The California Consumer Privacy Act puts tech companies under the spotlight as it will undoubtedly transform the way businesses in the technology industry operate. Top data companies will be required to restructure many of their policies and procedures in order to become AB 375 compliant.
Even though this regulation applies to every type of business, much of the burden falls on the tech sector. Amounts of data produced increase daily and much of the data is personal and used for various reasons by tech companies. Because of the massive amount of data being processed and controlled, technology companies can become open to potential fines for non-compliance, data loss and data breaches.
With digital transformation trends, more and more companies are relying on cloud services. Therefore, cloud providers and data centre providers will have to increase security measures and processes within their organizations in order to protect and handle customer data and ensure compliance with AB 375.
Companies such as Google and Facebook have already implemented many of new privacy protection measures to comply with the EU GDPR. Facebook claims to support AB 375, although it is “not perfect,” and, together with other companies, it looks “forward to working with policymakers on an approach that protects consumers and promotes responsible innovation.”
With AB 375 not going into effect until the beginning of 2020, it is still possible to amend it. Head of state government affairs at the Internet Association, Robert Callahan claims “it is critical going forward that policymakers work to correct the inevitable, negative policy and compliance ramifications this last-minute deal will create for California’s consumers and businesses alike.” However, before tech companies can try to make California lawmakers to amend the law, it is necessary to access the impact of the initial version and identify what changes to request.
How to prepare for AB 375
Companies will need to take a number of steps to comply with AB 375’s requirements, such as:
- Prepare data maps, inventories or other records of all personal information as well as information sources, storage locations, usage and recipients.
- Provide designated methods for submitting data access requests, such as a toll-free telephone number.
- Update privacy policies including a description of California residents’ rights.
- Provide a clear “Do Not Sell My Personal Information” link on the business’ Internet homepage.
- Determine the age of California residents and implement processes to obtain parental or guardian consent for minors under 13 years and the affirmative consent of minors between 13 and 16 years to data sharing.
- Introduce additional security measures to guard against data breaches.
AB 375 Non-Compliance Penalties
Failure to comply with the California Consumer Privacy Act could be costly to businesses with civil penalties resulting from an action by the state Attorney General of up to $7,500 per violation. Also, in the event of a breach of personal information, AB 375 provides consumers with statutory damages of no less than $100 and no more than $750 per consumer per incident, or actual damages, whichever is greater. Finally, the Act directs the Attorney General to solicit broad public participation in developing regulations to implement the Act and, as part of that process, to develop specific rules and procedures dealing with opt-out and other provisions within one year of the date of enactment.
Changes in Privacy Law Landscape
The emergence of the California Consumer Privacy Act and the EU General Data Protection Regulation proves that personal data is finally becoming a recognized value. Given the recent scandals involving Facebook, Cambridge Analytica, Equifax and numerous tech companies that used personal data of other people like their own property, it is no surprise that data protection legislation started to change rapidly, making users directly involved in the process of data sharing.
AB 375 requires tech companies such as Facebook, Google, and Amazon to disclose the type of data they are collecting on customers, to reveal the advertisers and other third parties with whom they share user information, and to disclose data-sharing information in order to protect user information. Thus, it could significantly obstruct the way they do business and share user data.
Even though tech companies’ representatives are planning to lobby to further amend the law, the fact remains that AB 375 introduces more complex privacy law setting not only in California, but also in the rest of the United States and the world, given the impact of this state on the global economy.