On June 28, 2018, California’s governor Jerry Brown approved the California Consumer Privacy
Act of 2018, which will impose entirely new obligations on businesses that no other state
requires. California law already requires businesses to notify any California resident whose
unencrypted personal information was acquired by an unauthorized disclosure. This new privacy
law—scheduled to become effective in 2020—was hastily enacted by the legislature and signed
by Governor Brown in order to moot a ballot initiative scheduled for the November elections.
This law goes much further than existing California law, affecting major tech companies like
Google and Facebook, as well as brick-and-mortar retailers with customer loyalty programs, and
most businesses that collect any information about their customers. Due to the quickness
California’s politicians rushed the bill through, the text contains numerous drafting errors and
ambiguities that will hopefully be fixed before the law goes into effect.
Beginning January 1, 2020, the new privacy law will grant California residents a right to request
a business to disclose what “personal information” in the last 12 months the business has
collected about the consumer, where it gets that information from, the business’s commercial
purpose for collecting such information, and to whom the information has been sold or shared.
The law details an extensive list of what constitutes “personal information,” including
purchasing history, email addresses, internet search history and geolocation data. Businesses
will generally need to provide the information within 45 days of the consumer’s request.
California residents will also have the right to request that businesses delete their “personal
information” and the right to opt out of the sale of their “personal information” to third parties.
Persons who opt out cannot be charged more for services, provided different levels of service, or
otherwise be discriminated against for exercising this right, unless “that difference is reasonably
related to the value provided to the consumer by the consumer’s data.” Exactly what value is
provided to a consumer by her own data is unclear. This ambiguity may be one of the drafting
errors contained in the bill—that is, the legislators may have intended that a consumer who opts
out can be charged more if the difference is reasonably related to the value provided to the
business by the consumer’s data. We shall see.
In addition to enforcement actions brought by the California Attorney General, the new privacy
law creates a private right of action for any consumer (on an individual or class-wide basis)
whose “personal information” is subject to unauthorized access, theft, or disclosure as a result of
the business’s “violation of the duty to implement and maintain reasonable security procedures
and practices.” The statutory damages for the private right of action are between $100 and $750
per consumer per incident or actual damages, whichever is greater.
There have long been proposed class action lawsuits for data breaches. For example, in 2017,
Anthem, Inc. agreed to settle a lawsuit for $115 million after a data breach affecting 80 million
people. In the data breach context, the consumer’s actual monetary damages have often been
minimal because such damages are usually out-of-pocket expenses relating to reimbursement for
resolving resulting identity theft. The new privacy law’s addition of statutory damages will
undoubtedly be another weapon that consumer attorneys will use in data breach cases.
The text of Assembly Bill 375 is available here. Please contact Kyle Foltyn-Smith or Jerry
Hawxhurst if you would like to discuss AB 375.