The California Consumer Privacy Act of 2018

//The California Consumer Privacy Act of 2018

The California Consumer Privacy Act of 2018

By |2018-06-15T15:58:27+00:00June 15th, 2018|news|0 Comments

The California Consumer Privacy Act, which will be voted on in November 2018, is an initiative brought by California consumer privacy advocates who seek to regulate businesses’ data collection practices while providing California residents with more control over how and when their data is collected and used. The initiative coincides with the entry in force of the European GDPR, therefore raising some concerns that this new act preludes a trend towards more EU-like privacy regulation at the state level in the U.S.

The Background of US Privacy Law

In an article I published three years ago for Quebec Lawyers Abroad, I did point out the difference in approach the U.S. and the EU have taken in the area of privacy regulation, the U.S. preferring a sectoral-based approach at the federal level that focuses on those sectors in which the risk to privacy is deemed the highest, while the EU has traditionally expressed a preference for adopting a principles-based approach to regulation that does not discriminate between industry sectors.  From that perspective the U.S., risk-based approach to privacy and data protection greatly contrasts the European approach that is built on the premise that privacy is a fundamental right of every individual. On that basis, U.S. organizations have been permitted to design their own privacy policy and practices to be as flexible or strict as they choose. The Federal Trade Commission (“FTC”), as the primary authority for enforcing privacy and data practices, only has authority to bring action against companies who violate their own self-imposed privacy policies. With the exception of sensitive areas like children data, financial data, and health data, organizations have not been given requirements about what they can or cannot do within their privacy practices so long as their actions and policies are consistent.

The general attitude towards privacy in the U.S. is that the consumer is responsible for protecting themselves. If a consumer wants to bring an action directly against an organization who misused or breached their data, they are left with civil claims like breach of contract or invasion of privacy, which have very high burdens of proof and rarely prevail. Additionally, the U.S. Constitution continues to protect the First Amendment’s freedom of expression, and requesting someone else’s data about you be erased has been seen as a violation of their First Amendment right.

The introduction of the California Consumer Privacy Actis important because it could potentially begin shifting the burden from the consumer to the organization within the U.S. The act seeks to impose actual requirements and restrictions on businesses’ privacy and data use practices while providing consumers with an actual venue for complaints and redress, which has never been available in the U.S. before.  Previously, a data or privacy breach was not considered harmful per se and consumers were required to prove actual damage caused by these breaches, whereas this new Californian legislation finds that sharing or collecting data contrary to the consumers’ wishes is sufficient harm to bring a claim.

Why is the California Consumer Privacy Act being proposed?

Since 1972, privacy has been an inalienable right recognized by the California Constitution.  California has since protected this right through numerous acts, such as the Online Privacy Protection Act and the Privacy Rights for California Minors in the Digital World Act, however, mirroring in that the thinking in the EU that lead to the adoption of the GDPR,  there is a general belief that the laws currently in place in California are no longer sufficient to address the privacy risks posed by the advent of new technologies.

What is being proposed within the California Consumer Privacy Act?

The California Consumer Privacy Act, which has been compared to the GDPR, focuses on providing CA residents with a series of rights. The list of proposed rights includes:

  • The right to know what categories of personal information is collected
  • The right to know who their personal information is being disclosed or sold to
  • The right to opt-out or stop the disclosure or sale of their personal information
  • The right to equal service and price
  • The right to request a copy of the personal information collected
  • The right to take action against organizations that do not respect their rights or privacy

Within these rights, California residents are guaranteed the right to be notified when their information is being sold. Businesses dealing with California residents will also have to design links on their home pages titled “Do Not Sell My Personal Information” that are clear and conspicuous to visitors. When a consumer clicks the link and completes the form, the organization is then prohibited from continuing to sell that data and must wait a minimum of twelve months before sending a new request to sell their data. If a consumer finds that their data is being sold after they’ve opted out, they are entitled to bring legal action and claim damages.

Additionally, under the right to equal service and price, organizations are prohibited from providing different or lower quality services to California residents who exercise their rights under this act. All of the organizations’ data collection and protection practices, in addition to the rights of California residents, must be posted on their website and updated at least once a year.

What will change if the act is passed?

Although this initiative will only affect the collection of data within California, it is believed that, because California is such a large state and major player within the economy, businesses will implement this standard nationally for the sake of efficiency. 

There have been mixed responses from large businesses. A group of large tech companies, including Verizon, Facebook, Google, and Comcast, were working together to stop the initiative. However, as events like Cambridge Analyticaand other major breaches have occurred, companies like Facebook and Verizon have quietly withdrawn in an effort to regain consumer trust. Although the law will not prevent these companies from using and selling California resident data, it will require complete transparency of their data collection and use practices and allow users to opt-out of these practices, which they claim will be difficult and expensive to implement. However, it should be noted that most of these are global companies now subject to the GDPR, which imposes much more aggressive privacy requirements. It is possible claims that the California act is too strict might be discredited by successful GDPR compliance.

To learn more visit the California Consumer Privacy Act website or read through the proposed initiative.

This article was written in collaboration with Monica Meiterman-Rodriguez