California Passes GDPR-Style Data Privacy Law
AB 375, the California Consumer Privacy Act of 2018, has been signed into law. The bill was signed by California governor Jerry Brown on Thursday after the state Senate and Assembly passed the bill unanimously.
California already has some of the strictest privacy laws in the United States. Under existing legislation, companies that experience a breach of personal information must notify affected individuals if their computerized data is exposed or stolen. This law takes privacy protections much further and gives state residents several new GDPR-style privacy rights, including:
- The right to request information from businesses about the types of personal data that are collected and processed and the source of that information
- Be informed about the purpose for collecting, using, and selling personal data
- Categories of third parties with whom the information is shared
- The right to request a copy of all personal information collected by a business
- The right to have all personal information deleted on request
- The right to request personal information is not sold
- The right to initiate civil action if there has been a failure to protect an individual’s personal data
The law would also prohibit any business from discriminating against an individual who chooses to exercise the above rights, including charging such an individual more or providing a different quality of goods or services.
The Act also prohibits companies from selling the personal data of individuals between 13 and 16 years of age, unless authorized to through opting in. Individuals younger than 13 must have consent provided by a parent or legal guardian before personal information can be collected.
Businesses will be required to explain, at or before the collection of personal information, the categories of information that will be collected and the purpose for which that information is collected. Businesses will be prohibited from collecting more information than is stated in their consumer notices. Consumers must also be advised of the right to have their information deleted at the point of consent being obtained.
Businesses must place a clear link on the homepage of their websites titled “Do not Sell My Personal Information” which must direct the user to a webpage where they can opt out of the sale of their personal data.
The Act will not apply to protected health information collected by HIPAA-covered entities. “This act shall not apply to protected or health information that is collected by a covered entity governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56 of Division 1)) or governed by the privacy, security, and breach notification rules issued by the federal Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Availability Act of 1996.”
The California Consumer Privacy Act of 2018 has been criticized for being a rushed attempt to prevent a voter initiative that would’ve appeared on California ballots in November if the bill was not passed by 5pm on Thursday.
While the bill has been signed into law, the California Consumer Privacy Act of 2018 can be amended before its effective date of January 1, 2020.
The bill has been heavily criticized by the Internet Association, which has stated, “Data regulation policy is complex and impacts every sector of the economy, including the internet industry… That makes the lack of public discussion and process surrounding this far-reaching bill even more concerning.”
The Internet Association released a statement saying, “It is critical going forward that policymakers work to correct the inevitable, negative policy and compliance ramifications this last-minute deal will create for California’s consumers and businesses alike.”