By: Robert Cattanach and Sam Balstad
Back in 1972, California voters added privacy to the state constitution’s list of inalienable rights. On June 28, 2018, the California Legislature enacted and Governor Brown signed the California Consumer Privacy Act of 2018. The new Privacy Law creates one of the most comprehensive frameworks for regulating digital privacy in the United States.
The Privacy Law gives California consumers the right to demand that businesses tell them what personal information the business is collecting, why it is collecting the information, how it is using the information, and with whom it is sharing the information. Consumers have the right to request deletion of their personal information and opt out of having their information sold to third parties. The Privacy Law specifically requires businesses to include a “Do Not Sell My Personal Information” button on their websites. For consumers less than 16-years-old, businesses cannot sell personal information without affirmative, opt-in consent.
The Privacy Law applies to businesses that either have an annual gross revenue of more than $25 million, deal with the personal information of at least 50,000 people, or derive 50 percent or more of their annual revenue from selling California consumers’ personal information. Businesses must generally provide the same quality of service to consumers who opt out.
Failure to comply with the Privacy Law exposes businesses to increased liability risks. The state attorney general is authorized to enforce the Privacy Law with a new, broader authority to fine businesses. Consumers have a private right of action to sue businesses who violate their digital privacy rights.
Still, businesses view the Privacy Law as more favorable than a citizen ballot measure that would have otherwise been voted on in November. The ballot measure, widely viewed as stricter than the Privacy Law, was polling at around 80 percent approval. Real estate developer Alastair Mactaggart spent more than $3 million and secured more than 625,000 signatures to get the measure on the ballot. Facebook, Google, Verizon, Comcast, and AT&T each contributed $200,000 towards opposing the ballot measure, and were prepared to continue fighting against the measure into November. Mactaggart used the ballot measure as leverage to force the legislature to take action now, and he agreed to withdraw the ballot measure with the passage of the Privacy Law.
The legislature rushed to pass the Privacy Law because June 28 was the last day Mactaggart could withdraw the ballot measure. The Privacy Law takes effect in January 1, 2020, giving the legislature 18 months to pass “cleanup bills.” Although the legislature could have amended the ballot measure if it were enacted, that would have required a 70-percent majority in both houses—a heftier burden than typical legislative amendment. Robert Callahan, vice president for the Internet Association, a group that includes Google, Facebook, and Amazon, said the group would “work to correct the inevitable, negative policy and compliance ramifications this last-minute deal will create.” On the other hand, Nicole Ozer, technology and civil liberties director for the ACLU of California, said the Privacy Law “was hastily drafted,” “fails to provide the privacy protections the public has demanded” and “needs to be fixed.”
Notwithstanding amendments before 2020, the Privacy Law contains a number of provisions comparable to or broader than the European Union’s General Data Protection Regulation, but is less restrictive in other ways. For example, the Privacy Law defines personal information more broadly than the GDPR. The Privacy Law also regulates the sharing and sale of personal information in a more restrictive manner than the GDPR. Unlike the GDPR, however, the Privacy Law does not require opt-in permission before a business may collect personal information. Rather, the only way to functionally opt out and prevent a business from collecting a consumer’s personal information under the Privacy Law is to request that the business delete that information.
Businesses will continue to face increasing regulation to protect consumers’ personal information, as other states are sure to emulate California’s policy and other countries jump on the GDPR bandwagon internationally.