California’s Consumer Privacy Act of 2018 is the most far-reaching attempt at data protection since HIPAA. It’s at the same time more, and less, than it appears. Regardless, it will change the privacy landscape in the US for years and serve as a model for states and will also provide work for lawyers and IT consultants for a long time. The haste in which it was drafted, though, creates exemptions and ambiguities that will foment considerable uncertainty and a number of disputes..
California residents may, as in GDPR, request that organizations disclose all the covered information they have on him or her, and reasons why they disclose that information to third parties. Consumers can also request that their information be deleted (subject to certain restrictions in the Act), and may request that the business not sell their personal information. The definition of “personal information” covered by the Act is arguably broader than that in the GDPR, comprising geolocation data and “Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”
This last category, while arguably aimed at profiling and analytics tools and resultant data may, by its verbal density and vagueness, create a lot of work for lawyers. Another perplexing provision appears to significantly limit the jurisdiction of the Act, limiting it to businesses with over $25 million on annual revenue, those that earn more than 50% of revenue from sale of personal information or a business that “buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.” It is easy to envision a torrent of disputes over jurisdiction with regard to such terms as “households,” “alone or in combination” and “access” to 50,000 “devices.”
The Act was drafted in some haste, to head off a data protection ballot initiative that was significantly more aggressive, and this may account for some of the lack of clarity and for other provisions, like the one on jurisdiction, that clearly appears to be legislative compromises. The Act provides for a personal right of action with statutory and actual damages available (as well as state enforcement by the attorney general), but prior to bringing an action the consumer must provide a notice to the business and a 30-day opportunity to “cure.” Disputes over the content of that notice, and what determines a sufficient “cure” will perhaps induce law firms with privacy practices to hire more associates and staff.
California will not be the last state to follow Europe’s lead. New Jersey is actively considering GDPR-style privacy and security legislation and has already commenced hearings. New York’s Department of Financial Services Cybersecurity Regulations mirror many provision of the GDPR, including a 72-hour breach notification requirement and a provision for deletion of data no longer needed for business purposes or legal or regulatory compliance.
If you have questions about how privacy or cybersecurity legislation or regulations may affect your business, please contact Kenneth N. Rashbaum.