Governor Brown Signs Privacy Legislation into Law
Thursday, June 28, 2018
A CLTA News Express
June 28, 2018
Assembly Bill 375 (Chau), which enacts sweeping new privacy controls for Californians beginning January 1, 2020, has been signed into law by Governor Brown after passing unanimously out of the State Legislature just earlier this afternoon. As reported by CLTA earlier this week, the legislation was brokered as a last-minute deal to urge the backers of a privacy ballot measure, the “California Consumer Privacy Act of 2018”, to withhold their initiative from the November ballot.
AB 375, which becomes effective on January 1, 2020, in many ways mirrors the CCPA of 2018. The bill gives consumers the right to request from a business what information the business collects on them, the sources of the information, any third parties with whom the information is shared and the business purpose for collecting or selling the information. Consumers are given the right to require a business to delete personal information. Personal information does not include information derived from public government records but does include such identifiers as a name, postal address, email address, social security number and driver’s license number.
The bill does contain exemptions. A business may use or share information with a service provider if it is necessary to perform a business purpose, for example. Furthermore, a business does not have to delete personal information if it is necessary for the business to complete a transaction for which the information was collected, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or to enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business. Generally, a business with an annual gross revenue of less than $25 million is exempt unless its business is selling consumer information.
Enforcement is vested in the Attorney General, and companies have a grace period to cure any alleged violations. Any business can seek an opinion from the Attorney General for guidance. Fines are limited to $7,500 per intentional violation. In addition, the bill contains a limitation on individual damages for data breaches.
A coalition of trade associations and industry groups, including CLTA, made known their opposition to AB 375 via oral and written testimony, noting that while the bill will avert a “costly ballot fight against a flawed initiative”, it nevertheless represents a “serious threat to the California economy.” The coalition made clear that while they were opposed to AB 375 based on a number of substantial flaws, ranging from issues such as enforcement, definitions of personal information and sale, the right to delete information, and others, they vastly preferred it to the privacy initiative, which would leave “very little room to amend or update a law that would apply to businesses…that are constantly evolving for the betterment of California.”
Negotiations surrounding the measure will continue as the Legislature and opponents look to address concerns with the newly enacted law between now and AB 375’s effective date of January 1, 2020.