California’s Consumer Privacy Act of 2018 is the most far-reaching attempt at data protection since HIPAA. It’s at the same time more, and less, than it appears. Regardless, it will change the privacy landscape in the US for years and serve as a model for states and will also provide work for lawyers and IT consultants for a long time. The haste in which it was drafted, though, creates exemptions and ambiguities that will foment considerable uncertainty and a number of disputes..
The Consumer Privacy Act of 2018 is far-reaching in its scope and provides, for the first time in state data protection law, a comprehensive “right to know,” similar to that in the European General Data Protection Regulation (“GDPR”). A covered business (more on this limited definition below) must, “at or before the point of (data) collection” (which, for practical purposes means on a website), inform consumers of the types of information it collects and the purposes of that collection.US businesses that market to EU customers or engage in transactions with European residents are revising their website privacy notices to meet similar provisions in GDPR, which is one reason your in-box has been filled to overflowing by those “We have revised our privacy policy” emails. Revisions for California’s statute, which takes effect January 1, 2020, are in the offing.
California residents may, as in GDPR, request that organizations disclose all the covered information they have on him or her, and reasons why they disclose that information to third parties. Consumers can also request that their information be deleted (subject to certain restrictions in the Act), and may request that the business not sell their personal information. The definition of “personal information” covered by the Act is arguably broader than that in the GDPR, comprising geolocation data and “Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”
This last category, while arguably aimed at profiling and analytics tools and resultant data may, by its verbal density and vagueness, create a lot of work for lawyers. Another perplexing provision appears to significantly limit the jurisdiction of the Act, limiting it to businesses with over $25 million on annual revenue, those that earn more than 50% of revenue from sale of personal information or a business that “buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.” It is easy to envision a torrent of disputes over jurisdiction with regard to such terms as “households,” “alone or in combination” and “access” to 50,000 “devices.”
The Act was drafted in some haste, to head off a data protection ballot initiative that was significantly more aggressive, and this may account for some of the lack of clarity and for other provisions, like the one on jurisdiction, that clearly appears to be legislative compromises. The Act provides for a personal right of action with statutory and actual damages available (as well as state enforcement by the attorney general), but prior to bringing an action the consumer must provide a notice to the business and a 30-day opportunity to “cure.” Disputes over the content of that notice, and what determines a sufficient “cure” will perhaps induce law firms with privacy practices to hire more associates and staff.
California will not be the last state to follow Europe’s lead. New Jersey is actively considering GDPR-style privacy and security legislation and has already commenced hearings. New York’s Department of Financial Services Cybersecurity Regulations mirror many provision of the GDPR, including a 72-hour breach notification requirement and a provision for deletion of data no longer needed for business purposes or legal or regulatory compliance.
If you have questions about how privacy or cybersecurity legislation or regulations may affect your business, please contact Kenneth N. Rashbaum.
