In our April newsletter, we told you about the ‘General Data Protection Regulation’ (GDPR) that went into effect in the EU on May 25, 2018. That European regulation provides sweeping privacy requirements for anyone that does business with or collect identifying information on European residents. We opined that an American GDPR would not happen here for a long, long time because American and European philosophies of privacy are so different.
It turns out that a long, long time is about one month. The world’s fifth largest economy, umm… that would be California… has enacted its own version of the GDPR. California’s Consumer Privacy Act of 2018 (California CPA) differs from GDPR, but has similar roots; namely, recent major data breaches and massive misuse of data.
The California CPA headed off a consumer privacy ballot initiative that was scheduled for a vote in November with over 600,000 petition signatures. In intense negotiations, the ballot initiative organizers agreed to withdraw the initiative and to back the California CPA bill.The California CPA has a very broad definition of ‘personal information’ and provides that Californians have the right to know what data is collected (not just categories of data, but also the data itself). The consumer also has the right to know the source of the data, the business purpose for collecting and selling the data, and the categories of parties with whom the information is shared. The consumer has the right to access and to delete personal information, and the right to opt out of the sale of personal information. The California CPA applies to larger businesses of any type and even small companies in the business of harvesting data.
The consequences of poor data security have just increased. Section 1798.150 of the Act includes the following:
(a) (1) Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:
(A) To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.
(B) Injunctive or declaratory relief.
(C) Any other relief the court deems proper.
This means that any business that receives personal information for a California resident can be subject to suit for a subsequent data breach. The statutory damage amounts for each consumer are relatively small, so small data breaches will not be worth the cost for consumers to pursue. Large data breaches, however, will attract class action law firms. If your business is an on-line retailer or otherwise collects, receives or processes data on California residents, it’s time to put your digital house in order and improve your data security.
Now wait a minute – there are several Federal laws that deal with specific privacy issues such as medical information and credit reporting. Isn’t the California CPA preempted by those Federal laws? In a word, no. The California CPA includes carve-outs for the existing Federal laws to prevent a conflict and prevent preemption.
The California CPA goes into effect on January 1, 2020 and presents an extra burden for any business that collects customer or visitor information. Those persons now have three sets of regulatory standards to meet – Europe, California, and everywhere else. Major Internet providers lobbied against the bill, arguing that it will erase much of their ad revenue and disrupt their basic business models. We anticipate that the efforts of the Internet providers, data aggregators and the customers of those entities will switch to the U.S. Congress in an effort to push through Federal legislation to preempt the California act. They have eighteen months.
–Robert Yarbrough, Esq.