Beyond GDPR: New California Consumer Privacy Law

If you just spent millions of dollars and untold work hours complying with Europe’s General Data Protection Regulation, tough luck. You may need to do it all over again.

That’s because California just passed a sweeping privacy bill that imports GDPR concepts, often in the same words, verbatim – but just as often with a twist. All of which translates into potential big-time consequences for any company doing any business in California—and yes, even if you’ve already spent millions on GDPR compliance.

The California Consumer Privacy Act of 2018 becomes effective January 1, 2020, with broad implications for companies that collect and sell consumer data online.

Lisa Sotto, managing partner and chair of the global privacy and cybersecurity practice at law firm Hunton Andrews Kurth, puts it succinctly: “Every company that does business in California will need to assess the law’s applicability and, if applicable, will have substantial work ahead to implement its requirements.”

Implications of a Hastily Written Privacy Law

Even many of those who actually read the massive 10,000-word bill are scratching their heads about what to do next. Many are still trying to decipher the myriad requirements in the Act, given that it was hastily stitched together by lawmakers in a rush to avoid a statewide privacy ballot initiative (which just about everyone agrees would have been even worse).

Paola Zeni, Senior Director of Global Privacy for Palo Alto Networks, tells us you can think of the law as broadly providing consumers with greater transparency and control over how companies use their data. For example, it gives consumers the right to know the types of personal data a company collected, how the data is used and sold, and to request that the company delete the information.

To make absolutely certain that consumers can’t miss their right to opt out of having personal data resold, the California privacy bill specifies that companies must display a “clear and conspicuous” link on their home page. And it dictates the exact words for the link’s label: “Do Not Sell My Personal Information.”

Is Your Company Affected?

The law may affect a wide range of companies, including Internet-based businesses and data brokers that sell data used in ad-targeting and other purposes. “Business models may be impacted: many Internet businesses thrive because of their ability to trade in data,” Zeni says.

The law’s wide net ensnares any company that does business in California and meets at least one of the following:

  • Has revenue greater than $25 million,
  • Collects or resells personal information for 50,000 consumers,
  • Gets at least 50 percent of its revenue from selling consumers’ personal information.

What if you fail to comply? There are civil penalties of up to $7,500 per violation, which could add up to millions or billions of dollars; consumers also have the right to sue privately in certain cases.

GDPR Compliance is Not Enough  

The California law borrows concepts such as transparency and consumer consent from the GDPR. But it’s more narrowly focused than GDPR, and it implements privacy concepts differently. So even companies that have invested heavily in GDPR compliance may have to invest again for California. “The expectation that complying with GDPR would take care of compliance with the California privacy law is not accurate—companies need to look at the differences between the two,” Zeni says.

Still, at least some of the work companies have done for GDPR may be useful in complying with the California law. For example, companies may have mapped all the data they collect and how the data is used, Zeni says. That can help them determine how to update disclosures and ensure they have the systems and processes in place to enable consumers to opt out.

In addition, says Zeni, the California privacy law demonstrates how regulations such as GDPR can generate an expanding global impact as they are copied in other regions. Attorney Sotto adds that the California Privacy law contains “some random phrases that are straight out of the GDPR and have never been used before in U.S. law, such as “rights and freedoms” and “determines the purposes and means of the processing.”

Powerful Driving Forces: Consumer Concerns and Privacy Activism

Zeni notes that as significant as the law is, the extraordinary dynamics that led to its passage are just as important. The legislature rushed to approve the bill in order to head off a ballot initiative funded by a wealthy privacy activist. That initiative, which gathered some 600,000 signatures of support, would have put an even stricter measure before California voters this coming November.

“Privacy activism at this level is really a first, especially when it is directed at businesses that are selling consumer information. This is really a seismic change, and a primary consideration for boards,” Zeni says. “In the past, privacy has been regarded at many organizations as a compliance issue that is confined to relatively few people within the company—not a topic that resonates with so many consumers and is so politically charged.”

Amendments on the Way?

In the rush to pass the bill, lawmakers didn’t have time to examine how it intersects and possibly conflicts with existing privacy laws and requirements, such as California’s data breach requirements and online privacy protection law, Zeni says.

But as Douglas Adams says, “Don’t Panic.” Or, at least, not yet. Take a deep breath. One of the big differences between a ballot initiative and a law is that the law is much easier to change. And another thing that everyone seems to agree on is that this law will, in fact, change before it goes into effect. There’s likely to be intense lobbying for changes and fixes during the coming months.

“There is a crying need for amendments,” Sotto says. “There are many internal inconsistencies and errors that need to be corrected. Nevertheless, businesses should begin thinking about how the law might impact them and put a plan in place. While there will likely be changes, the basic tenets probably will not change. Given the privacy community’s recent experience with GDPR, companies would be well advised to get an early start on compliance with the California law.”