What does California’s new privacy law mean for companies and consumers?
When California Assembly Bill 375 (AB 375), also known as the California Consumer Privacy Act, goes into effect in 2020, companies stand to face the toughest privacy requirements in the United States. The purpose of AB 375 is to create transparency and control for consumers and their data, and to establish meaningful requirements for companies that collect and use that data. Some notable conditions under AB 375 include the following:
- Companies must inform consumers of the data they collect and the purposes for which it is used.
- Consumers can require companies to delete their data and direct companies to cease the sale of their data.
- Companies will be required to disclose to consumers their right to request deletion of their data and their right to opt out of the sale of their data.
- Companies that collect, sell, or disclose consumer data must disclose the categories of data that were collected, sold, or disclosed, as well as the third parties to whom the data was sold or disclosed.
- Consumers will have the right to obtain their data in a portable format such that it may be provided to another entity.
How did this law originate?
California legislators swiftly ushered AB 375 along to avoid a more restrictive voter initiative proposed by the Californians for Consumer Privacy, a group that agreed to withdraw its voter initiative if a law was signed by California’s governor by 5 pm PT on June 28.
Many tech companies were opposed to the tough voter initiative, but did not rally as vehemently against AB 375. This is likely because the voter initiative would have been more rigid, with tougher restrictions and disclosure requirements, as well as steeper potential fines for noncompliance than those imposed by AB 375.
Is this California’s version of the GDPR?
AB 375 bears a resemblance to the General Data Protection Regulation (GDPR), which went into effect in the European Union in May 2018. At their cores, both the GDPR and AB 375 are designed to require companies to be transparent regarding their policies around personal information, but there are notable differences between the two laws.
For instance, unlike the GDPR, AB 375 calls for “opt-out” as opposed to “opt-in” consent to collect, process, or sell consumer data and does not specifically prohibit certain practices. In addition, both specify that certain information must be provided to consumers, but while the GDPR leaves it to companies to ensure transparency in their policies, AB 375 calls for the attorney general to enact appropriate rules, procedures, and exceptions to ensure that data policies are easily understood by the average consumer.
To comply with AB 375, companies will need reassess their policies and make practical changes—even if they recently undertook the same process to ensure compliance with the GDPR. This might include
- amendments to privacy policies and practices,
- modifications to various workflows to effectuate requests from consumers, and
- reevaluation of and updates to overall privacy, governance, and compliance programs.
So, what’s next?
It remains to be seen whether companies will be forced to effectively operate under different rules in California, or if they will seek to adopt privacy rules applicable to all consumers regardless of whether the consumers reside in California. As well, modifications to AB 375 may be made before implementation in 2020, or other states may ultimately follow California’s lead and pass their own strict privacy laws in response. Regardless, AB 375 is undoubtedly going to force many companies to reassess, if not modify, their business models where they rely on consumer data.