California’s new data privacy law could change how companies do business in the Golden State
This past November, Californians were going to have the opportunity to vote on a sweeping data privacy ballot initiative. The language was set, the signatures were collected, but the initiative never made it to the ballot.
A creation of Alastair Mactaggart, a wealthy Bay Area real estate developer, the initiative aimed to bring accountability to the data economy. “I wanted to start to address how we as consumers can get control of our information,” says Mactaggart, who spent more than $3 million on the campaign.
While the initiative polled well with the public, there was significant criticism.
“We were strongly opposed to it,” says Kevin McKinley, director of California government affairs for the Internet Association, an industry group. He says the bill was unworkable because it was written with “far-reaching definitions that had no grounding in law in America or Europe.”
Legislators also had misgivings. California ballot initiatives, if passed, are hard to amend. With a June 29 deadline to take the initiative off the ballot, a trade was proposed: If the legislature could pass a data protection law, Mactaggart would pull the initiative.
After a flurry of negotiations, Gov. Jerry Brown signed the bill into law on June 28.
The California Consumer Privacy Act of 2018 is the strictest consumer data protection law in the country. The law applies to any company that does business in California and has gross revenues above $25 million; annually buys, receives or sells personal information of 50,000 or more consumers, households or devices; or derives 50 percent or more of its annual revenue from selling personal information.
“Privacy—back in the old days—was a peeping Tom looking over the fence,” says Democratic state Sen. Bob Hertzberg, a co-author of the bill. “Today, it’s companies with very sophisticated algorithms being able to track huge amounts of information about you.”
Tracking parts of the European Union’s General Data Protection Regulation, which went into effect last spring, the CCPA gives consumers access to their data, the right to have their personal data deleted and the ability to opt out of having their data sold.
The CCPA also goes further than any existing law in the United States. At the federal and state level, the U.S. has various data protection and privacy laws focused on specific financial, health and student information. However, these laws largely leave the bulk of the data economy—everything from data brokers to social media—beyond reproach.
This law has national implications, and lawyers are working to make sense of it while legislators make updates before it goes into effect in 2020.
In contrast to the GDPR, the CCPA does not give consumers complete ownership of their data; nor does it create data minimization standards, which require companies to only use as much user data as needed to complete a task.
But the new law creates leverage for consumers through a private right of action, allowing individuals to sue a company if their personal information is released as a result of a data breach.
Writing to the bill’s drafters in August, California Attorney General Xavier Becerra called the private right of action too limited. He said consumers should be able to seek legal recourse to protect their privacy, not just after a breach. Representatives from Becerra’s office did not return a request for comment.
Statutory damages are set at $100 to $750 per person, per breach or actual damages, whichever is greater. The damages are higher for a civil suit brought by the attorney general.
Defense firms believe this could set the stage for a new area for class action lawsuits. “Plaintiffs class action lawyers will look for an opportunity to test the cause of action by filing a case after the next big data breach is reported in the press,” says Kristen Mathews, a partner at Proskauer Rose in New York City. “If the cause of action turns out to be viable and lucrative for them, we will see these cases filed regularly after data breaches are reported.”
While not expanding the right of action, the law has already been amended once, in part due to Becerra’s letter. Changes included the removal of a requirement on consumers to notify the attorney general of a civil suit, clarifying the basis for the consumer right of action, and a six-month delay in attorney general enforcement. More amendments are expected.
California Democratic Assemblyman Ed Chau says he has taken note of these concerns raised by advocates, consumers, and industry representatives and will consider them, as he ultimately wants to make the law workable.
While the law continues to take shape, Hertzberg sees the potential for a national impact, similar to how California’s tailpipe emission standards became de facto nationwide industry standards.
However, Congress could override the CCPA. Last fall, Sen. Ron Wyden, D-Ore., proposed a strong data protection bill, but it showed little chance of passing. Sen. John Thune, R-S.D., is reportedly working on a separate bill. The Internet Association and other industry leaders prefer a federal law to a patchwork of state rules.
With the threat of a federal bill undercutting California’s work, Chau, a co-author of the CCPA, hopes California’s law will be treated as a floor and not a ceiling for U.S. privacy law.
“Europe is already ahead of us, as we’ve seen with GDPR,” he notes, admitting that California would “most likely not” have passed a strong privacy law without Mactaggart’s instigation. “So the question is: Do we really want to move backwards?”
This article was published in the January-February 2019 ABA Journal magazine with the title "Leading the Way: Inspired by Europe's sweeping GDPR, California’s new data privacy law could change how companies do business in the Golden State."