California passes landmark privacy legislation

 Jul 7, 2018 10:00 AM
by Derek Lackey

In a last-minute action, just a few hours before a looming deadline Thursday afternoon, the California legislature passed AB 375, the California Consumer Privacy Act of 2018. As a result of its passage, Alastair Mactaggart, the man behind a November ballot initiative to pass a similar law, has agreed to pull his bill from the ballot.

In a news conference held to celebrate the bill’s passage and signature by Gov. Jerry Brown, Assembly member Ed Chau, who leads the California Assembly’s Privacy Committee, called the bill a “historic step” for California consumers, “giving them control over their personal data.” The law, he said, “forges a path forward to lead the nation once again on privacy and consumer protection issues.”

California State Senator Bob Hertzberg was downright ebullient in striking a tone of victory: “This is a huge step forward for California,” he said, “for consumers all across the country.”

Mactaggart, who Hertzberg compared to Nelson Mandela and Mahatma Gandhi, chuckled in saying it’s “not every day you see a law made so quickly.” Indeed, he said, not more than a month ago he was convinced the ballot initiative was the only way the privacy law could be made reality. Instead, the legislature engaged only a week ago and quickly passed this sweeping legislation that brings into being significant new privacy rights for consumers.
“We have achieved a significant accomplishment,” Mactaggart said. “This is the strictest privacy bill in the history of the country.”

Assuming the law is not amended before it comes into force on January 1, 2020, the California Consumer Privacy Act would make it so:
• Consumers have the ability to request a record of what types of data an organization holds about them, plus information about what's being done with their data in terms of both business use and third-party sharing. 

• Businesses will have to have a verification process so consumers can prove they are who they say they are when they do their requesting. 

• Consumers have a full right to erasure, with carve-outs for completion of a transaction, research, free speech, and some internal analytical use. 

• Organizations will have to disclose to whom they sell data, and consumers will have the ability to object to the sale of their data. Businesses will have to put a special "Do Not Sell My Personal Information" button on their web sites to make it easy for consumers to object. 

• Sale of children's data will require express opt in, either by the child, if between ages 13 and 16, or by the parent if younger than that. 

• Organizations cannot "discriminate against a consumer" based on the exercising of any of the rights granted in the bill. For example, you can't provide a different level or quality of service based on a consumer objecting to the sale of their data. However, organizations could offer higher tiers of service or product in exchange for more data as long as they're not "unjust" or "usurious."

• A covered "business" is defined as any for-profit entity that either does $25 million in annual revenue; holds the personal data of 50,000 people, households, or devices; or does at least half of its revenue in the sale of personal data.

• The law would be enforced by the Attorney General and create a private right of action for unauthorized access to a consumer's "nonencrypted or nonredacted personal information." Failure to address an alleged violation within 30 days could lead to a $7,500 fine per violation (which could be per record in the database, for example).

• Finally, the law protects any "consumer," defined as a "natural person who is a California resident," which is defined as "(1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose."

Asked if companies are likely to begin compliance now or wait until 2020, Hertzberg said he thinks the bill “sets a tone … Even though it will be delayed in implementation, you will have an impact just by the virtue of its existence.”

And what about talk that the legislature may make some adjustments to the law between now and 2020?

Chau said...

Read The Full Article