- California’s GDPR Has Become Law
- July 2, 2018 | Authors: Alexander F.L. Sand; Mary Jane Wilson-Bilik; John S. Pruitt
- Law Firms: Eversheds Sutherland (US) LLP - New York Office ; Eversheds Sutherland (US) LLP - Washington Office
On June 28, 2018, California passed a sweeping new privacy bill, AB 375, now known as the California Consumer Privacy Act of 2018 (CCPA).The California legislature passed the bill in the morning and the governor signed it that afternoon in a hurried effort to avoid a November vote on a ballot initiative that proposed a similar but more stringent version of the new privacy requirements. The proposed ballot initiative had raised significant concerns among California legislators and business leaders, particularly since laws that are passed through the ballot initiative process are significantly harder to amend than those that are passed through the standard process. While approved, the CCPA faces at least 18 months of legal uncertainty since lawmakers have indicated that they intend to keep refining the bill ahead of its January 2020 effective date. In addition, the CCPA specifically calls upon the California Attorney General to solicit broad public participation to adopt regulations to “further the purposes of this title,” as well as to see if any substantive exceptions and modifications are needed to accommodate changing technologies and other laws.The proposed ballot initiative and the quick passage of the CCPA make clear that there is large-scale public support for enhanced privacy regulations in the world’s fifth largest economy, which is certain to have a marked effect on many companies.Who does the new law cover?The CCPA includes many concepts similar to those in the landmark EU General Data Protection Regulation (GDPR), which has led many to call this legislation “California’s GDPR.”The new law covers those businesses that have annual gross revenues in excess of $25 million, and it could reach far beyond California’s borders. Excluded from this act, however, is commercial conduct that takes place “wholly outside of California.”What does the new law do?The new law contains many detailed provisions, many of which are similar to concepts found in the GDPR. For example, both require enhanced transparency over what businesses do with personal data, and require disclosures to consumers on how the business collects personal data, how it processes the data, and to whom it transfers or sells the data.In addition, the California law, like the GDPR, affords a consumer a “right to be forgotten” in certain circumstances. That right does not have to be honored in California if the information is necessary to complete the transaction for which the personal information was collected or if it is necessary to provide a good or service the consumer requested. The right to be forgotten is also limited when the business needs the data to perform its obligation under a contract between the business and the consumer, or for legal or regulatory reasons.Obtaining consent under California’s law differs from the methods required in the GDPR. In Europe, consumers must opt in by affirmatively giving consent. In the CCPA, consumers need not opt in, but they can opt out of the sale of their personal information. Under California’s new law, opt-in consent only applies to the sale of personal data for individuals under the age of 16. Businesses also are largely prohibited from charging consumers a different price or providing a different quality of goods or services as a result of a consumer opting out of the sale of his/her personal information.Finally, and importantly, the CCPA provides a limited private right of action for data breaches, with statutory damages of up to $750 per consumer per incident or actual damages, whichever is greater.Eversheds Sutherland will provide further analysis on specific provisions, as well as provide any updates if California passes changes to its newly minted law.In the interim, companies across the spectrum may want to start assessing whether the new California law could apply to them and, if so, how they are going to comply and how they are going to navigate compliance with other similar— but not identical— privacy laws.