Businesses are understandably focused this week on the looming effective date for the European Union’s General Data Protection Regulation (GDPR). For U.S. businesses, however, a proposed law closer to home would raise similar compliance burdens and create potential litigation risks.
This November, voters in California will likely vote on whether to pass a ballot initiative, titled “The Consumer Right to Privacy Act of 2018.” Proponents of the Act, which would broadly expand California residents’ rights to their personal data, announced this month that they submitted 625,000 signatures to the California Secretary of State in support of the measure. Assuming the secretary of state certifies that enough signatures are valid (approximately 366,000 signatures are required to qualify), California voters will be in position to directly pass the Act into law.
The California measure would grant consumers three principal rights: (1) the right to ask companies to identify the personal data they collected on the consumer; (2) the right to demand that personal data not be sold or shared for business purposes; and (3) the right to sue companies that violate the law or that experience data breaches.
The law would apply to companies that do business in California and which: (1) have $50 million or more in annual gross revenue; (b) sell the personal information of 100,000 or more consumers or devices; or (c) derive 50 percent or more of their annual revenue from selling consumers’ personal information.
Among the notable features of the proposed law is its expanded definition of personal information, which includes both traditional identifiers such as name, email, Social Security number, etc., as well as commercial information such as usage data, browsing or search history and purchasing tendencies. Businesses subject to the Act would be required to give consumers the right to opt out of the sale of such personal information and would be barred from discriminating against consumers that opt out.
As noted, the Act would create a private right of action both for violations of the Act and in connection with data breaches. Further, the Act provides that a breach of a consumer’s personal data constitutes an injury-in-fact, with statutory damages available in amounts from $1,000 to $3,000 per violation. This would likely prevent class action defendants from seeking dismissal of claims where plaintiffs could not establish actual harm.
Should the Act pass in November, the law would go into effect immediately, but would provide a nine-month grace period for compliance.