With more than double the number of required signatures well ahead of the verification deadline late this month, the citizen-initiated measure "The California Consumer Privacy Act of 2018" appears headed for the statewide ballot on November 6. If approved by a majority of Golden State voters, the ballot measure would greatly expand right-to-know and opt-out requirements, subjecting covered businesses to increased costs for compliance and strict liability for any violations.
If enacted into law, the ballot measure will apply to companies that conduct business in California or collect California residents’ personal information. Small businesses, however, will be spared, as the measure only applies to businesses that have annual gross revenues over $50 million, annually sell (alone or in combination) the personal information of 100,000 or more consumers or devices, or derive 50 percent or more of annual revenue from selling consumers’ personal information. Just as with Europe’s recently enacted GDPR, these covered businesses will have to decide whether to treat California consumers differently or implement these standards nationally.
Expanded Privacy Rights
The ballot measure builds on California’s Online Privacy Protection Act and Shine the Light law, which, together, already require businesses engaging consumers in California to post a privacy policy disclosing what personal information they collect and to provide a mechanism for consumers to opt out of sharing personal information for direct marketing purposes. The ballot measure, however, would require disclosure of personal information that is collected or shared for any reason—business-to-business, direct marketing, or other. The measure also defines "personal information" more broadly to include, for example, biometric data, browsing history and similar website interactions, geolocation data, and inferences drawn from any such information. The ballot measure does not apply to information protected under HIPAA.
California's ballot measure provides consumers, defined as California residents, with:
-
the right to know what personal information a business has collected about them;
-
the right to know what personal information about them has been disclosed and to whom; and
-
the right to direct a business not to sell their personal information (i.e., the right to opt out).
Covered businesses would only be required to disclose and/or provide such requested information to the same consumer once in any 12-month period. Should a consumer decide to opt out, this decision must be respected for at least 12 months and no subsequent sale of that consumer’s personal information is permitted without express consent. Further, covered businesses would be prohibited from charging different prices, providing a different quality or level of goods or services, or otherwise discriminating against consumers who exercise any of these rights.
Increased Obligations for Covered Businesses
If not already subject to and in compliance with the obligations under the GDPR, affected businesses would have to make some upfront investments in their data privacy practices. Most notably, covered businesses would need to be able to verify and respond to consumer requests for information within 45 days, in addition to tracking and respecting opt-out requests. The ballot measure requires two or more designated methods for submitting requests for information, including, at minimum, a toll-free telephone number and a website address (if applicable). Additionally, websites and privacy policies must be updated to include a description of consumers’ rights, a clear and conspicuous link on both the homepage and privacy policy page, titled "Do Not Sell My Personal Information," and lists of all categories of personal information collected by the business or sold or disclosed to third parties in the previous 12 months.
If approved by a majority of Californians voting in November’s election, covered businesses will have nine months to comply with the ballot measure.
Avenues for Enforcement and Financial Penalties
If the measure is enacted, covered businesses would be wise to comply immediately due to the risk of harsh financial penalties. The ballot measure provides multiple avenues for enforcement: a private right of action by consumers, a civil action brought by the Attorney General, and whistleblower actions. In any of these instances, the measure provides for damages of $1,000 per violation or actual damages, whichever is greater. For willful or knowing violations, the amount for each violation is "not less than one thousand dollars ($1,000) and not more than three thousand dollars ($3,000), or actual damages, whichever is greater, for each violation from the business or person responsible for the violation." Notably, the ballot measure provides that any consumer who has suffered a violation may bring an action for statutory damages—and that a violation "shall be deemed to constitute an injury in fact to the consumer who has suffered a violation." The ballot measure also incentivizes whistleblowers by providing a right to a percentage of any civil penalties.
Liability may also result if a third party, to which the covered business sold personal information, discloses the information in violation of the ballot measure and the covered business is found to have had actual knowledge or reason to believe that the third party intended to commit such a violation. Further, any security breach constitutes a violation under the ballot measure unless the covered business is found to have implemented and maintained "reasonable security procedures and practices."
As a citizen-initiated measure, 365,880 valid signatures are required to be certified for California’s November 6, 2018, statewide ballot. The deadline for signature verification is toward the end of June, but it is likely not a concern given that the initiative has already received more than double the required amount of signatures. Under California law, if the ballot measure is passed, it may only be amended by another ballot measure approved by the voters and passed by a vote of 70 percent of the members of each house of the legislature and signed by the governor. As expected, there is an opposition coalition comprising several major companies, but it may be weakening given the current climate created by the Cambridge Analytica scandal and rampant data breaches. Potentially affected companies should begin to consider the implications and costs of compliance given the chance this ballot measure becomes effective in November.