July 9, 2018
On May 25, 2018, the European Union’s General Data Privacy Regulation (GDPR)[i] went into effect. Hailed by many and criticized by others, the GDPR imposes obligations on businesses that control or process the personal data of EU data subjects and affords EU data subjects expansive rights regarding the use and disclosure of their personal data.[ii] One month after the compliance effective data for GDPR, California legislators unanimously enacted and Governor Jerry Brown signed into law[iii] California AB 375, otherwise known as the California Consumer Privacy Act of 2018 (the Act).[iv]
Effective January 1, 2020, the Act amends California’s Information Practices Act,[v] a consumer protection statute. In many respects, the Act mirrors the GDPR. For, instance, the Act significantly expands the definition of “personal information”[vi] to include data variables like those captured under the GDPR’s definition of “personal data,” including unique personal identifiers such as IP addresses, online browsing and search histories, geolocation data, and inferences drawn from personal information about consumer preferences, characteristics, behaviors, and attitudes.[vii] The Act also requires a qualified business to disclose to California consumers what personal information it collected about them, where the business gets that personal information, why the business collects the personal information, what category of third parties the personal information is shared with, and whether the business sells their personal information and, if so, to whom.[viii] Businesses to which the Act would apply include corporate entities that collect California consumer personal information and that satisfy one or more of the following thresholds: (a) annual gross revenue in excess of $25 million; (b) annually buy, sell, or share personal information of 50,000 or more consumers, households, or devices, or (c) derive 50% or more of their annual revenues from selling consumers’ personal information.[ix] These disclosures must cover the 12 months preceding the business’s receipt of such requests. A consumer request must be fulfilled within 45 days of such a request, but a business may obtain an additional 45 days when reasonably necessary. Consumers also have the right to request that a business delete personal information that it has collected about the individual[x] and not sell the consumer’s personal information.[xi] The Act also affords consumers a private right of action for data breaches of nonencrypted or nonredacted personal information, though damages are capped at $750 per consumer, per incident or actual damages (if higher).[xii] The California Attorney General may also intervene.[xiii]
Much like the impact of the GDPR on businesses that use and disclose personal data of EU data subjects, one could argue that the Act is a game changer for US businesses, including those who may not have otherwise been affected by the GDPR. Like GDPR, the Act will require a business to assess what type of information it collects and shares about California consumers, whether it can or should adopt different technical measures and policies and procedures for California consumers versus other domestic consumers,[xiv] and whether the business has the technical capabilities to respond to consumer requests (including the right to request deletion of their personal information and to prohibit the sale of their personal information).
Notably, the Act does not apply to “protected health information,” as such term is defined by the Health Insurance Portability and Accountability Act of 1996, and its implementing regulations (45 CFR Parts 160 & 164) or, for California licensed facilities, the California Confidentiality of Medical Information Act (Cal. Civ. Code 56-56.37; Cal. Health & Safety Code 1280.15).[xv] This is good news for US health care providers; however, this exception does not mean that US health care providers can ignore the Act. Health care providers and health care businesses that are not HIPAA covered entities or licensed California facilities or practitioners which do business with California consumers must still determine if they collect or process data that would not be “protected health information” under HIPAA but would be “personal information” under the Act (e.g., internet or other electronic network activity, inferences drawn from other personal information). This will be especially true and important for businesses that operate in the “health care” sector but which are not HIPAA covered entities, including businesses that develop and promote wellness applications.
Business have 18 months to prepare for the enforcement of the Act. Industry speculation points at amendments to the bill within this timeframe. That said, the time to start your risk assessment and data mapping is now.
[i]Regulation (EU) 2016/679 (April 27, 2016)
[iii]The unanimous passage and quick signage of AB 375 was driven, in part, by efforts to avoid a qualified California ballot initiative that had been proposed and supported by Alastair Mactaggart, a San Francisco real estate developer and privacy advocate, and the Californians for Consumer Privacy. Measure No. 17-0039. The ballot initiative sought to advance many of the obligations and rights afforded by the Act. See https://www.caprivacy.org/ . If the ballot initiative had passed, it would have been more difficult to effectuate changes than it would have been to amend the Act. Following enactment of the Act, the ballot initiative was withdrawn, as required by the Act. http://www.sos.ca.gov/administration/news-releases-and-advisories/2018-news-releases-and-advisories/proponents-withdraw-initiative-establish-new-consumer-privacy-rights-expand-liability-consumer-data-breaches/
[iv]http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180AB375 . See also Cal. Civ. Code 1798.198(b).
[v]Cal. Civ. Code 1798 et seq.
[vi]GDPR, art. 4 (“personal data”).
[vii]Cal. Civ. Code 1798.140(o).
[viii]See Cal Civ. Code 1798.100(a), 1798.110, and 1798.115.
[ix]Id. at 1798.140 (“Business”).
[x]Id. at 1798.105.
[xi]Id. at 1798.120.
[xii]Id. at 1798.150(a), (b)(1)
[xiii]Id. at 1798.150(b)(3).
[xiv]It is quite possible (if not probable) that other states will follow California’s lead and adopt legislation like the Act.
[xv]Cal. Civ. Code 1798.145(c).