Thursday, June 28, 2018

California Enacts Sweeping Privacy Law to Avoid Vote on Ballot Proposal in November

Well, they did it.  

California is re-shaping U.S. privacy law again.  At the last possible minute, California lawmakers enacted a statute and persuaded the proponent of a strict privacy ballot initiative to withdraw the proposal.  

Today, the California legislature passed, and the California Governor signed, Assembly Bill 375 (the "Consumer Right to Privacy Act of 2018").  I wrote last week about the proposed bill, which resembles the ballot initiative of the same name, but is more business-friendly in most (but not all) ways than the ballot proposal (which I described here). The proponents of the ballot imitative have revoked their proposal on the final day prior to official qualification for the November ballot. 

image of laptop computer with eye on screen and text "California" Matt Cordell is a great privacy lawyerThe world now has until January 1, 2020 to decide how to play by the new rules in California. 

Rumors are already swirling on social media that the statute could be amended (i.e., weakened) before it becomes effective. (Statutes enacted by the California legislature can be more easily amended than laws approved by voters at the ballot box.) 

You can read my initial thoughts on the bill in my earlier post.  I intend to provide a more detailed analysis soon. 

Saturday, June 23, 2018

California Lawmakers Make Last-Ditch Effort to Preempt Privacy Ballot Proposal

I recently wrote about a ballot initiative in California that, if approved by voters in November, will dramatically change privacy law in California (and very likely the rest of the United States).  Two days ago, a bill was introduced in the California legislature in an attempt to pre-empt the ballot initiative.  (Remember how I keep telling you how quickly things move in privacy law?!?!)

image of laptop with eyeball and written text California [If you have not already, read my summary and analysis of the ballot initiative first.]

California's deadline for collecting signatures for initiatives to be included on the ballot in the fall is June 28 (next week).  The Consumer Right to Privacy Act of 2018 (v.2, No. 17-0039) already has far more signatures than is necessary, and is almost certain to be eligible for inclusion on the ballot when the deadline arrives next week.  Many industries, and specifically the digital advertising industry, are scrambling to address it before it causes massive disruption (and opportunity?) in the digital marketing world.

Two days ago, on June 21, California lawmakers (from each house) introduced AB 375 in the Assembly, titled "The California Consumer Privacy Act of 2018" (which, if you are paying attention, you will notice has the same title as the ballot proposal...probably not by accident).  If this bill is adopted by the legislature and signed by the Governor before the ballot initiative's qualification deadline next week (6/28), the proponent of the ballot initiative has agreed to revoke the ballot proposal from consideration.

As you might imagine, the legislative bill intentionally includes several elements that are present in the ballot initiative, but is more friendly to business (especially digital marketing/advertising) in some ways than the ballot proposal.  Importantly, the bill would be enforced primarily by the California Attorney General, whereas the ballot initiative would  likely leave enforcement primarily to plaintiff's class action lawyers.  Penalties under the bill are limited to $100-750 per violation, and only for failing to protect data from a breach.  The bill also has important exclusions, such as data collected for one-time transactions, de-identified data, etc.  Based on my initial reading, the right of a consumer to opt out in the bill appears to apply only to data sales, not just data sharing for business purposes.  The proposal's prohibition on discriminating against consumers who opt out seems somewhat softened in the bill.

On the other hand, the bill seems to be a bit more rigorous in some ways (surprisingly!).  For example, the bill would require organizations to tell a consumer the "specific pieces" of personal information that have been collected about an individual Californian (not just the "categories" of information).  In addition, the bill includes a data deletion right similar to the EU concept of the "right to be forgotten" (but with several exceptions, some broad).