The Class-Action Risk Inherent in California’s New Strict Data Privacy Law
Right on the heels of GDPR’s compliance deadline and hitting a little closer to home, the governor of California has signed AB 375—the California Consumer Privacy Act of 2018. This is a first-of-its-kind law, at least from a US-perspective, that has been called historic in terms of privacy and consumer protections.
Much like GDPR, the comprehensive law gives users more control over their data and places penalties on companies that fail to comply. There is a very unique American aspect to this law however – the private cause of action that is given to California residents. Whereas the “teeth” in the EU-law is the threat of regulatory investigation and fines, the “teeth” in the California law takes a familiar American approach — leave enforcement up to private litigation!
The more serious risk may be the private right of action in data breach cases where no such right currently exists. As the Wall Street Journal has aptly noted:
The new law opens businesses to potential litigation in which the plaintiff won’t need to prove economic loss or harm. Virtually any company available on the internet in California would be affected, and statutory damages apply “per consumer, per incident.” On the internet, “incidents” can quickly number in the thousands.
– Wall Street Journal, Thomas M. Boyd, July 4 2018.
Generally, the bill ensures the right of California residents to:
- Know what personal information is being collected about them.
- Know whether their personal information is sold or disclosed and to whom.
- Opt-out of the sale of personal information.
- Access their personal information.
- Have their information deleted, with some limitations
These are all rights that are familiar to any business that has recently gone through the heavy lift of GDPR accountability (or, to those who have tried to avoid being swept into such accountability efforts). The bill also provides that businesses cannot deny service because an individual will not permit the sale of their information but can offer financial incentives for the collection of personal information.
In the event of a data breach not only will investigators be able to levy regulatory fines, but, the far greater risk is that of the class action to litigate the perceived harm of data rights that had not been adequately protected.
What Is Considered Personal Information?
AB 375 defines personal information broadly, as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly with a particular consumer or household.” This definition aligns closely with the EU General Data Protection Regulation’s definition of personal data. The Act enumerates examples of personal information, citing among other elements, name, postal or email address, Social Security number, government-issued identification number, biometric data, Internet activity information, and geolocation data. It also references “inferences drawn on any of the information identified” in the definition.
This definition is far broader than the typical definition of personal information most US-businesses think about, namely, name, address, and some account information.
Does Your Company Need to be Compliant?
The Act will apply to for-profit businesses that conduct business in California that collect consumers’ personal information and that determine the purposes for processing and the way processing is carried out; have annual gross revenues in excess of $25 million; or derive 50% or more of its annual revenue from selling personal information. Businesses that annually buy, receive for commercial purposes, sell or share for commercial purposes the personal information of 50,000 or more consumers also need to comply.
With California taking the lead in comprehensive data privacy laws, other states are sure to follow. Contact Achieved Compliance to learn about our range of solutions that will help your company become compliant with GDPR and U.S. domestic data privacy regulations.
Achieved Compliance – helping you navigate the complex world of data compliance.
Through its software guided review and remediation process, education tools and representation services, Achieved Compliance makes it possible for companies to take all the steps needed for meaningful compliance that meets regulators’ expectations.
For more information as to how we can help your organization be GDPR compliant please contact email@example.com.