California Enacts Sweeping Privacy Law; Will Other States Follow?
On June 28, 2018, Governor Brown signed into law the “California Consumer Privacy Act of 2018.” The legislation was a compromise to avoid a ballot initiative that was more closely modeled after the European Union’s General Data Protection Regulation (GDPR). This Act is scheduled to go into effect on January 1, 2020.
The Act enumerates a number of rights for consumers regarding the privacy of their personal information. Some rights, such as the right to be forgotten or the right to request information disclosure, are reminiscent of those seen in the GDPR, while others, such as the right to opt out of the sale of a consumer’s personal information, are specific to the new law.
Along with identifying consumer rights, the law also imposes requirements on businesses, including those that collect or have collected consumers’ personal information, to make specific disclosures about their personal information practices and to respond to consumer requests. Importantly, the definition of “personal information” is broadly defined to include common information, such as a name or email address, as well as more specific information, such as biometric information and geolocation data, although publicly available information is not included.
Another key component of the law is that it offers consumers a private right of action if their nonencrypted or nonredacted personal information is breached. The law provides businesses with a right to cure any consumer complaint prior to the consumer initiating an action for statutory damages, but it also requires consumers to notify the Attorney General of any filing to give the office the opportunity to pursue its own prosecution instead. Importantly, businesses cannot enforce terms that waive or limit a consumer’s rights under the Act, such as a class action waiver in a privacy policy.
Given that the law is not set to be implemented for more than a year, there could very likely be changes. However with this law, California is leading the way for other states to enact similar laws to protect their consumers’ personal information, potentially raising questions about the feasibility of companies meeting differing requirements across state lines.
This law also comes on the heels of the Federal Trade Commission’s announcement of hearings on the harmonization and interpretation of federal and state laws that address unfair and deceptive practices, including privacy. This new law will likely be a topic of those conversations.
For more information about the California law, including a more comprehensive summary of its requirements, see our Client Advisory.