By: Price Murry

Lawmakers passed bill AB 375 yesterday as part of a concerted effort to stop a ballot initiative on consumer privacy in California. As a result, businesses that operate in California will soon need to comply with the new law. The requirements take effect in 2020 and will likely change between now and then, but businesses should think about how to prepare over the next 18 months.

Who Does the Law Apply to?

Any business that operates in California is potentially subject to the new rules if it satisfies any of the following:

• Annual gross revenue over $25 million;
• Alone or in combination with any affiliates buys, sells, receives, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices.
• Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

Any business with sufficient revenue or customer base will be subject to the new privacy protection rules, regardless of whether they are a tech company or are headquartered outside of California, so long as they operate in California and collect personal information from California residents.

What Rights do Consumers Have?

Disclosure – Consumers have the right to receive any of their personal information a business has collected, free of charge up to twice a year. Businesses also must track and disclose the categories of information collected and the purposes for which it will be used.

Deletion – Consumers have the right to request deletion of any personal information a business collected about them. While this may be concerning for many businesses, there are numerous exemptions which will allow a business to continue to use the data for internal processing, similar to legitimate purposes under GDPR.

Opt Out – One of the more complex areas of the new law surrounds the right to not have consumer’s personal information sold or shared. The law requires businesses that sell or share personal information to include a link on their website called “Do Not Sell My Personal Information,” which then must direct visitors to a page allowing them to opt out. Consumers must be able to exercise this right without having to make an account, which can present operational challenges for businesses to verify who is making the request.

No Discrimination - Businesses also cannot provide a different level of goods or services to a consumer that exercises their rights, though there are again exemptions if the service provided requires consumer data to be useful, such as a social media site. This requirement is especially difficult for businesses that generate revenue by providing targeted ads, as the crux of the business model is using consumer personal information to keep the lights on.

Opt in Required for Minors – Businesses cannot sell information of minors without their consent. This again presents operational challenges for businesses that are unaware they collect information from minors. While most consumers have to opt out of data selling, minors must opt in. But minors must also receiving the same level of service even if they don’t, based on the discrimination rules noted above.

Private Right of Action

Perhaps one of the most troubling parts of the new law is the creation of a private right of action for any consumer that has their information accessed or disclosed as the result of a data breach. Consumers can recover between $100 and $750 per consumer per incident without any proof of injury or actual damages, whichever is greater. Businesses must carefully analyze their data security practices and procedures to ensure they are reasonable for the protection of information, otherwise a single data breach could become extremely costly.

There are two accommodations to help businesses manage their risks. First, a consumer must provide the business with 30 days written notice to cure any alleged violations. While this may help some businesses, in the event of a breach there may be no chance of reversing the disclosure. One cannot put the proverbial genie of consumer data back into the bottle and cure the defect. In that case businesses must rely on proving they took reasonable steps to protect the data.

The second accommodation allows the Attorney General to step in within 30 days. The Attorney General may either 1) notify the consumer that the Attorney General will prosecute an action in lieu of the private lawsuit,  2) allow the private lawsuit to continue, or 3) essentially veto the lawsuit. How this will play out in practice is uncertain, but the procedure is very similar to the Private Attorneys General Act (PAGA) and will likely be used in a similar fashion by plaintiffs.

So What Now?

This new law does not go into effect until January 1, 2020. In the intervening 18 months there will most likely be several legislative changes to the bill, so the law passed today will not be the same law that businesses must abide by. So for businesses that are not already concerned with privacy laws vis-à-vis the GDPR, there is plenty of time to prepare.

For now businesses should look to whether they are covered by the new law and begin to understand their current data practices. The law will cover many businesses that do not otherwise think of themselves as data companies, and those businesses must prepare for compliance or face the risk of private lawsuits and statutory damages. The law may change between now and 2020, but it’s here to stay and businesses must adapt.

If you have any questions, contact your Chugh attorney.