Sweeping New Privacy Bill Adopted in California

California Governor Jerry Brown signed sweeping new privacy/data security legislation yesterday. The California Consumer Privacy Act of 2018, AB375, breezed through the state legislature in just one week and passed unanimously in both houses. The new law will have a substantial impact on all companies that do business in California.

For several months, ANA and our industry partners have been gearing up to fight a major privacy ballot initiative this November in California. On June 21st, we learned that the author of that proposal, real estate developer Alastair Mactaggart, had reached a deal with two key members of the California State Legislature, Assemblymember Ed Chau and Senator Bob Hertzberg. If they could move a scaled-down version of the California Consumer Privacy Act through the legislature and deliver it to the desk of the governor by June 28th, Mactaggart stated he would withdraw his proposal from the ballot. The proposal was withdrawn yesterday.  

Industry was not involved in those negotiations and was given very little time or opportunity for input on the new Chau/Hertzberg privacy bill. We pushed back in several areas and the sponsors agreed to some modest changes. ANA has been working closely with the California Chamber and other industry groups on these issues and we opposed the bill, which has a number of very serious defects.    

AB375 will take effect in January 2020 and there will be a rulemaking by the Attorney General to clarify a number of ambiguous and conflicting provisions in the legislation.  There would have been very little opportunity, if any, to change the ballot initiative if approved by the voters in November – ballot initiatives can be amended only through a 2/3 vote of both chambers of the state legislature.  

On balance, there is a better opportunity to improve this flawed legislation than to successfully oppose the even more seriously flawed ballot proposal which contained massive potential penalties for violations. That’s the tough choice the business community made.

AB375 will establish broad new privacy rules for the collection and use of data in both the online and offline world:

  • Consumers will have the right to demand companies provide all of the information that has been collected about them as well as the right to demand the deletion of that information.
  • Consumers will have the right to opt out of the sharing of any personal information about them to another company and cannot be discriminated against for doing so. There are inconsistent provisions in the law that could impact loyalty or discount programs.        
  • The new law has a very broad definition of “personal information” that includes web browsing and app history, biometric information, geolocation data and much more.
  • Companies who experience a data breach will be subject to a new private right of action with statutory damages of no less than $100 per violation and up to $750 per consumer per incident or actual damages, whichever is greater. By contrast, the ballot initiative provided penalties of no less than $1,000 up to $7,500 per violation. Companies will have 30 days to rectify a breach once notified before a suit could be brought against them.    

The new law will apply to companies with annual gross revenues in excess of $25 million; personal information about 50,000 or more consumers; or which receive 50% or more of their annual revenues from selling consumers’ personal information. This is even more expansive than the privacy ballot initiative in regard to coverage.

We will continue to work with our members and industry partners on how best to respond to this new legislation.