California legislators are currently negotiating the passage of a bill that would grant Californians increased control over their data. If the bill is not signed into law by Thursday, a stricter version of it will be presented on the November ballot as a measure. It is likely some form of the bill or measure will be negotiated and passed.
Although the bill is more balanced than the measure, it will certainly have a consequential effect on how businesses store, share, disclose, and engage with consumer data. To that end, it will impact the way e-commerce companies function both operationally (network and product architecture) and legally (compliance and regulatory issues).
If this bill passes, there will be a large impact on businesses, particularly those that are part of a larger ecosystem of organizations. The organizational impact will be on the consumer-facing side, the internal side, as well as the vendor management side. For many businesses, the impact is even greater as they have likely just come into compliance with or are working to come into compliance with the EU's General Data Protection Regulation, which came into effect on May 25, 2018.
To comply with the bill, businesses will need to create internal processes to properly and timely respond to consumer requests for information, requests for deletion, and requests to opt out of having their information sold. Businesses will also need to update their privacy policies and websites to provide the more stringent disclosures and methods for consumers to exercise their newly acquired rights. Vendor management and controls will also need to be updated to ensure compliance with the limitations provided for in the bill. Businesses heavily reliant upon analyzing data will need to heighten technological capabilities to ensure that personal information is de-identified.
For technology companies, this bill may create additional obstacles when building an ecosystem of different organizations, each bringing a unique aspect to the product or service. Consider the companies involved in creating certain mobile applications experiences for consumers to provide the various APIs and SDKs that enable the consumer experience. Each involved party will need to understand the data that the others are collecting, sharing, and selling, and obtain representations and warranties in their agreements to protect itself from a consumer class action or regulatory enforcement. As has already been demonstrated, all parties involved in an ecosystem will likely be responsible for the conduct of the others. Partners and vendors will need to be carefully vetted prior to engagement by business teams and legal counsel. Additionally, many contractual provisions such as licensing of data and indemnity will become greater points of contention in business-to-business deals and should be carefully discussed and reviewed with legal counsel.
California Measure No. 17-0039
(as of 6/26/2018) |
California Assembly Bill 18-375
(as of 6/25/2018) |
Effectively adds the following categories of information to the
concept of "personal information": " Records of purchases, services, and "consuming histories or tendencies";
|
Effectively adds the following categories of information to the
concept of "personal information": " Records of personal property, products, or services, and "consuming histories or tendencies";
|
Personal information is not considered "de-identified" unless the business (1) undertakes technical and business processes to prevent re-identification, (2) has processes to prevent inadvertent release of de-identified information, and (3) makes no attempt to re-identify the information. | Personal information is not considered "de-identified" unless the business (1) undertakes technical and business processes to prevent re-identification, (2) has processes to prevent inadvertent release of de-identified information, and (3) makes no attempt to re-identify the information. |
Adds the concept of proportionality (i.e., "reasonably necessary") to the definition of "business purpose," which must have been permitted. | Adds the concept of proportionality (i.e., "reasonably necessary") to the definition of "business purpose," which must have been permitted. |
"Selling" personal information includes "releasing, disclosing, disseminating, making available" for "valuable consideration", and "sharing orally, in writing, or by electronic or other means" for "valuable consideration" or "for no consideration for a third party's commercial purpose. | "Selling" personal information includes "releasing, disclosing, disseminating, making available" for "valuable consideration." Does not include third party processors who receive that information for only processing. |
Collectors – Consumers have the right to request
categories of personal information collected. Sellers – Consumers have the right to request categories of personal information collected, and exactly to whom it was disclosed to. Both may require a verifiable request. |
Collectors – (1) Consumers have right to request
categories of information collected, (2) from whom it was
collected, (3) the specific business purposes for which it was
collected, and (4) with whom it is shared. Sellers – (1) Consumers have right to request categories of information sold, and (2) to whom it was sold. "Sellers" appear to be also "collectors." Both may require a verifiable request. Certain exceptions to the above apply for truly "one time" uses. Businesses that receive verifiable requests from consumers to delete their personal information, must delete, and direct any service providers to delete, such information. Compliance is not required if it is necessary for the business or service provider to maintain the personal information (such as for legal, security, or transactional needs). |
Disclose and deliver required information to consumer within 45 days in writing and delivered through consumer's account, or by mail or electronically at consumer's option if consumer does not maintain account. | Disclose and deliver required information to consumer within 45 days in writing and delivered through consumer's account, or by mail or electronically at consumer's option if consumer does not maintain account, "in a readily useable format that allows consumer to transmit this information from one entity to another entity without hindrance." |
Contains express form requirements for disclosures, including for opt-out notices and online webforms and links. | Contains express form requirements for disclosures, including for opt-out notices and online webforms and links. |
Consumers have a right to say no to sale of their information
at any time. Sellers have to provide an opt-out notice first before
consumer information may be sold. Seller must provide clear and conspicuous link on homepage to allow consumer to opt out of sale of personal information. |
Consumers have a right to say no to the sale of their
information at any time. Collectors have to provide an opt-out
notice first before consumer information may be shared. Sellers
have to obtain an "explicit notice" before they can sell
information. Minors under 16-years of age must "opt-in." Seller must provide clear and conspicuous link on homepage to allow consumer to opt out of sale of personal information. Clearer exceptions for: (1) completion of the business purpose with the consumer, (2) security and debugging purposes, and (3) comply with a legal purpose. |
A privacy statement that describes: (1) a description of consumers' rights and the methods of submitting requests; (2) a list of categories of information collected; (3) a list of categories of information disclosed; (4) a list of categories of information sold. | A privacy statement that describes: (1) a description of consumers' rights and the methods of submitting requests; (2) a list of categories of information collected; (3) a list of categories of information disclosed; (4) a list of categories of information sold. |
Requirement that business not discriminate against consumers
for exercising their rights under the title, including by:
|
Requirement that business not discriminate against consumers
for exercising their rights under the title, including by:
Business may offer financial incentives to consumers, however, to obtain their personal information. But the practices for this entire subsection may not be "unjust, unreasonable, coercive, or usurious." |
Exceptions:
|
Exceptions:
|
Enforcement:
|
Enforcement:
|
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.