For the first half of 2018, all eyes were focused eastward on the EU with the start of GDPR enforcement this May. Now, all eyes are shifting westward based on a bold new law passed by California. By January 1, 2020, companies around the world will have to comply with additional regulations related to the processing of personal data of California residents. Pursuant to the California Consumer Privacy Act of 2018, companies must observe restrictions on data monetization business models, accommodate rights to access, deletion, and porting of personal data, update their privacy policies and brace for additional penalties and statutory damages. The California Legislature adopted and the Governor signed the bill on June 28, 2018 after an unusually rushed process in exchange for the proposed initiative measure No. 17-0039 regarding the Consumer Right to Privacy Act of 2018 (the “Initiative”) being withdrawn from the ballot the same day, the deadline for such withdrawals prior to the November 6, 2018 election.
In addition to being a partner at Baker & McKenzie, Lothar has taught data privacy law at many schools including Freie Universität Berlin, UC Berkeley School of Law, Hastings College of the Law, Stanford Law School, and University of San Francisco School of Law. He has written more than 100 articles and 5 books, including a treatise about California Privacy Law.
This October 3, Lothar will be leading a California Privacy Law Workshop at my event, the Privacy+Security Forum.
SOLOVE: In what ways is this law significant and innovative?
DETERMANN: With this law, California responds to growing public concerns regarding trading of personal data and data security breaches. The Internet as we know it today – with a large ecosystem of charge-free services, funded through behavioral advertising and data commercialization – was born and raised in California. Perhaps it will die here too.
Free bicycle maps, mobile navigation services, social networks and much more — all innovative online services that could never have scaled to critical mass if companies were forced to rely on subscription fees for and after the initial launch. Other established pay services, such as news and email were quickly replaced by charge-free offerings. Let’s face it, consumers like free stuff and have never actually cared much about privacy in the past. See Lothar Determann, Social Media Privacy: a Dozen Myths and Facts, 7 Stanford Technology Law Review (2012). Based on user statistics and company earning reports, I do not believe this has changed today – the new law hardly came from “the people.”
Perhaps the most significant and innovative component of the Act is its anti-discrimination provisions. Few, if any, U.S. privacy laws – or any other U.S. law for that matter – dictate how companies may calculate prices or allocate costs. The new law will prohibit companies from charging California residents for the costs of data access, deletion and mobility requests, or discriminate against consumers who make such requests or opt-out of data trading. This may effectively doom charge-free services, as companies may no longer be able to rely on data monetization revenue to scale their business, e.g., from behavioral advertising on news sites, retargeting for online stores, or mobility data from apps.
Significant also is the breadth of the statute: Companies in all industry sectors, anywhere in the world, are required to comply and with respect to any categories of persona data. This feature of the law, though, is not particularly innovative, as it largely catches up with European data protection regulation, which is also extremely broad in scope and definitions.
Also significant are additional statutory damages for data security breaches. For more details, see Lothar Determann, Be Wary of Liability for Statutory Damages under California Consumer Privacy Act, Bloomberg BNA Privacy Law Watch (July 09, 2018). These will have a huge impact on companies that find themselves victims of a cyberattack or data theft and that under this new law may now face class action lawsuits containing claims for statutory damages of up to $750 per consumer – even if no consumer suffered any actual harm. This concept is not entirely new. California included similar provisions in a data security law pertaining specifically to automated license plate scanners back in 2016.
Innovative, but of significance only to a limited subset of companies, are new thresholds exempting companies with lower revenues and who do not trade user data. Few other, if any, privacy laws exempt smaller companies in this manner, given that consumer privacy interests can be harmed equally by small and large companies alike. Still, the new law also contains broad regulatory restrictions, beyond what is necessary to protect individual privacy so it seems appropriate to exempt smaller companies and in fact the thresholds in the new law may not too low.
Finally, new rules pertaining to dual public / private enforcement are noteworthy: Plaintiffs attorneys will have to notify companies of violations first and then offer the case to the California Attorney General, who can either prosecute the case, veto private litigation, or let the private litigation proceed. Additionally, the California Attorney General is financially incentivized to enforce the new law through the establishment of a “Consumer Privacy Fund” which will offset costs incurred by State Courts and the Attorney General in the course of enforcing the law, financed by 20% of all penalties that the Attorney General collects. The new system seems intended to curb the worst consequences of enforcement by class action lawsuits. At the same time, it also provides for private rights of action, statutory damages and penalties, all of which are expected to maintain pressure on companies through an active plaintiff’s bar.
SOLOVE: The law was very hastily drafted and has many areas that are confusing and unclear. What are some of the problems you have identified with the law?
DETERMANN: The law has numerous inconsistent and unclear provisions, which will hopefully be addressed in corrections during the next few months.
For example, instead of referring to the established definition of “security breach” as codified in other parts of the California Civil Code, the new Section 1798.150(a)(1) refers to “unauthorized access and exfiltration, theft, or disclosure.” While the qualifier “unauthorized” makes sense to limit “access, exfiltration and disclosure” it does not in the case of “theft.” Also, grammatically, “unauthorized” could be read to qualify only “access and exfiltration.” If this were the case though, any disclosure, even if authorized, could trigger statutory damages. Also, the concept of precluding statutory damages if a breach is cured (as in California Civil Code §1798.150(b)(1), while a good idea in principle, does not seem appropriate in the context of data security breaches, which can hardly ever be undone.
Perhaps an even bigger problem is that the new requirements are duplicative or inconsistent with disclosure and other requirements contained in the numerous existing California data privacy laws. The California Legislature should immediately revisit all existing California data privacy laws and abolish, or at a minimum, align and simplify sector and harm-specific privacy laws that require notice and consent in various forms and with nuanced requirements. In my practical guide and commentary, California Privacy Law (3rd edition, 2018), I cover hundreds of California and Federal privacy laws and my initial sense is that many of these can and should be repealed or simplified to align with the new provisions in the California Consumer Privacy Act.
SOLOVE: Are there any parts of the law that you find particularly praiseworthy or problematic?
DETERMANN: My personal view is that the broadened requirement for all companies and industries to provide notices regarding their data handling practices is appropriate and could simplify compliance if California repeals all the sector and situation-specific notice requirements, e.g., regarding website privacy policies (California Online Privacy Protection Act), direct marketing (Shine the Light Law), automated license plate scanners, etc.
I am not sure that data access and portability requirements are as crucial and worth the cost to society and consumers as a whole. If companies are forced to offer such rights, they should be able to charge those who make requests for the resulting costs. Companies should not be forced to abandon charge-free service offerings or raise prices for all customers to accommodate a subset population with special interests in data privacy or unrelated agendas. Most data access requests I have seen clients subjected to since GDPR came into effect were initiated by journalists, activists, IT contractors, disgruntled employees and consumers who had an entirely unrelated beef with the company, such as overdue bills being handed off to collection agencies or limitations on the use of gift cards accross physical and online stores.
Besides the statut