Legislature Moves to Forestall Privacy Initiative
Monday, June 25, 2018
Posted by: Heather Starkey
A CLTA News Express
As reported by CLTA last year, an initiative dealing with consumer privacy – dubbed the “California Consumer Privacy Act of 2018” – was filed in November 2017 with the Secretary of State and expected to qualify for the 2018 ballot. Under the proposal, a consumer could request that a business disclose what categories of personal data it compiles, and prevent the sale or sharing for commercial purposes of any of the consumer’s information.
June 25, 2018
Since being filed, the initiative’s backers have successfully guided the measure through the qualification process, gathering signatures and having them verified by the Secretary of State’s office, and are now poised to place it on the ballot for California voters this fall. The deadline for ballot measure submission is Thursday, June 28th.
However, it now appears that the Legislature has struck a last-minute deal with initiative proponents to have the measure withdrawn if a newly amended privacy bill, Assembly Bill 375 (Chau), was to be enacted into California statute. In an example of how intertwined the privacy initiative and the newly amended bill are, AB 375 provides that it shall become operative only if the California Consumer Privacy Act of 2018 is not submitted for voter approval.
AB 375, which would become effective on January 1, 2010, in many ways mirrors the CCPA of 2018. The bill gives consumers the right to request from a business what information the business collects on them, the sources of the information, any third parties with whom the information is shared and the business purpose for collecting or selling the information. Consumers are given the right to require a business to delete personal information. Personal information does not include information derived from public government records but does include such identifiers as a name, postal address, email address, social security number and driver’s license number.
The bill does contain exemptions. A business may use or share information with a service provider if it is necessary to perform a business purpose, for example. Furthermore, a business does not have to delete personal information if it is necessary for the business to complete a transaction for which the information was collected, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or to enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business. Generally, a business with an annual gross revenue of less than $25 million is exempt unless its business is selling consumer information.
Enforcement is vested in the Attorney General, and companies have a grace period to cure any alleged violations. Any business can seek an opinion from the Attorney General for guidance. Fines are limited to $7,500 per intentional violation. In addition, the bill contains a limitation on individual damages for data breaches.
The last-minute deal has not left the parties at the negotiating table much time to maneuver the challenges of having the bill signed into law by the June 28th deadline – a condition the backers of the privacy initiative say must be met before they will pull the measure from the ballot. And in a sign of the uncertainty surrounding the negotiations, a flurry of activity, with proposed amendments being inserted and pulled, is taking place as the bill heads toward a hearing in the Senate Judiciary Committee Tuesday morning.