On June 28, 2018, after a last-minute frenzy in the state legislature, California Gov. Jerry Brown (D) signed a bill introducing tough, General Data Protection Regulation-esque restrictions on how companies handle Californians’ personal data. Unless amended before its January 1, 2020 effective date, The California Consumer Privacy Act of 2018 (aka bill AB 375) will be the strictest data privacy law in the United States. It could have profound effects in California, and in any state that decides to emulate the law.
As critics and proponents of AB 375 line up to have their voices heard, any argument regarding the bill should, at the very least, be an informed one. So, in the spirit of education, here’s what you need to know:
First things first, a quick recap:
AB 375 was thrown together in about three months. GDPR, its European analog, took four years. The rush to pass the bill was the result of an effort to avoid an even stricter voter initiative that would have appeared on California ballots this November had lawmakers not hammered AB 375 through by its 5 p.m. PT deadline on the 28th of June.
By passing the bill and avoiding the voter initiative, the legislature bought time to review and amend the law before it goes into effect. Tech industry lobbyists representing giants like Google, Uber, Amazon, and Facebook are already pushing for change, driven by fears that the new law could hamper their operations and herald tougher regulation at the federal level.
Does the law apply to me?
The law applies to any for-profit business that does business in California, whether it has a physical presence in California or not, with annual gross revenue of $25M or more and either:
- Collects, sells, or shares for commercial purposes the personal information of at least 50,000 consumers, households, or devices; or
- Derives at least 50% of its annual revenues from selling consumers’ personal information
The law also applies to affiliated, co-branded entities of businesses that meet the above criteria, even if the affiliate doesn’t do business in California.
Okay, the law applies to me… what now?
As drafted, AB 375 requires that:
- Businesses provide information to individuals about: the categories and specific pieces of personal data that the business has collected or sold, the categories of sources from which the data was collected, how the data will be used, and to whom the data will be disclosed.
- Unless an exception applies, businesses must delete the personal data of a California resident on request.
- If a business collects or buys the personal data of a California resident, it cannot resell that information to a third-party unless the individual has received notice of the proposed sale and an opportunity to opt-out.
- Businesses cannot refuse to provide goods or services to individuals that exercise their privacy rights.
Apart from the bill’s sponsors, no one seems particularly smitten with AB 375. Advocates on all sides of every aisle point out that the bill contains vague, confusing, and arguably contradictory language that will surely fuel many political and legal fights.
Companies should tread lightly in pushing for changes to the law, however. Vehemently opposing privacy regulations is bad optics when corporate data and privacy stories, like the Facebook/Cambridge Analytica debacle, make national headlines daily.
At a press event last week, Facebook COO Sheryl Sandberg said her company supports the bill. In April, Facebook withdrew support from the Committee to Protect California Jobs, which was created to lobby against the original voter-led ballot initiative.
Katherine Williams, a Google spokesperson, said Google looks forward “to improvements to address the many unintended consequences of the law.”
Regardless of how the law morphs in the next two years, businesses should take the passage of AB 375 as a wake-up call (if they somehow slept through the introduction of GDPR). Companies should work toward improving their data collection, storage, and distribution methodologies to be not only policy compliant, but also aligned with the best interests of consumers.
