Do we need more particularized data privacy rights for U.S. citizens?

In a first this year late June, California passed A.B. 375, the California Consumer Privacy Act of 2018, a sweeping piece of legislation that, on its face, grants California residents data privacy rights that have never before been granted in the United States.

california-data-privacy-lawsIn late June, California passed A.B. 375, the California Consumer Privacy Act of 2018, a sweeping piece of legislation that, on its face, grants California residents data privacy rights that have never before been granted in the United States.

The law was driven by recent privacy scandals and the political pressure of a potential privacy rights ballot initiative that advocates agreed to drop in lieu of the passage of A.B. 375. Even more than the practical implications of the law, its passage spurred additional public debate that could lead to federal data privacy legislation and more particularized data privacy rights for U.S. citizens.

Generally, A.B. 375 allows consumers (defined as natural persons who are California residents) to demand access to all of the personal information that a company has collected relating to them, along with a full list of third parties with which the company has shared that data. In addition, the law allows consumers to sue companies – including through class actions – if they violate its privacy guidelines.

The law applies to for-profit companies that collect consumers’ personal information, conduct business in California, and fall into one of three categories:

  1. Realize gross revenues in excess of $25 million.
  2. Receive or disclose the personal information of 50,000 or more consumers, households or devices annually, or
  3. Receive 50 percent or more of annual revenues from selling consumers’ personal information. Additional provisions bring corporate affiliates of these companies if they share branding.

A.B. 375 grants consumers four categories of privacy rights.

First, the right to know what personal information a business has collected about them, including the source of that information, what is being done with it, and with whom it is being shared.

Second, the right to “opt out” of a company being permitted to sell their personal information to third parties.

Third, the right to request the deletion of their personal information. And fourth, the right to not be discriminated against if they exercise their data privacy rights.

Interestingly, however, A.B. 375 opens the door to allowing companies to pay consumers for the right to share their data by permitting, under certain circumstances, the granting of a different price to a consumer related to the value of that consumer’s data.

For the purposes of this law, “personal information” is defined broadly, including any information that identifies, relates to, describes, or is capable of being associated with a particular consumer or household. But A.B. 375 does exclude information that is properly made available by federal, state, or local records provided that such information is used for a purpose compatible with the purpose for which it is maintained. A.B. 375 also carves out de-identified personal data (i.e., anonymized data) and aggregate data (both of which are narrowly defined).

The law does not come into effect until January 1, 2020, and numerous companies and lobbyists will be proposing amendments that could narrow its scope and impact. Companies that deal in consumer data – including retailers, internet service providers, and other web-based companies – will be working to scale back to privacy rights set forth in A.B. 375 based on the costly nature of compliance.

The state attorney general will also work with public stakeholders to develop a particularized compliance framework for impacted companies to work toward in the coming 16 months. But even a curtailed version of A.B. 375 is likely to require significant privacy policy changes for companies falling within its reach.

Perhaps most importantly, the passage of A.B. 375 coincides with increasing public and political acknowledgement of the need to better protect personal data. The week before it was signed into law, the Supreme Court issued its decision in Carpenter v. United States, 585 U.S. ___ (2018), holding (in a Fourth Amendment context) that an individual has a reasonable expectation of privacy in his geolocation data, despite that data being collected and held by cell phone companies.

Since June, many federal lawmakers ramped up efforts to draft and pass data privacy bills that address the manners in which companies collect, maintain, and use personal information. Seehttps://www.axios.com/congress-eyeing-national-privacy-rules-in-wake-of-california-law-d79c94b3-52e2-4ac2-846a-089d454d1905.html.

For now, companies impacted by A.B. 375 should be crafting draft privacy policies and procedures that would allow them to comply with the current iteration of the law. At the same time, they should follow proposed amendments to the law, raise issues with the California legislature if they unearth cost or logistical difficulties in their early compliance efforts, and keep an eye on Congress’ efforts on the same topic.

 

Courtesy: John C. Eustice

John C. Eustice is a member at the law firm Miller & Chevalier, chartered in Washington, D.C.
Advertisements

Author: Abhishek Srivastava

Abhishek Srivastava is the Enterprise Architect at OCLC Online Computer Library Center, where he works on defining companywide strategy, governance and architecture with other application, infrastructure and domain architects. He has over 19 years of software development and architecture experience, including serving as lead architect on several major projects. He specialized in data architecture, SOA, integration, and delivery of large distributed systems. Abhishek's professional interests are data management, data governance, cloud computing, integration architecture and Big data. He holds an MBA from Mccombs Business School and an engineering degree from IIT Roorkee. Abhishek blogs about Data and architecture at dataisles.com. He can be reached at abhi@dataisles.com.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s