California legislators are currently negotiating the passage of a bill that would grant Californians increased control over their data. If the bill is not signed into law by Thursday, a stricter version of it will be presented on the November ballot as a measure. It is likely some form of the bill or measure will be negotiated and passed.

Although the bill is more balanced than the measure, it will certainly have a consequential effect on how businesses store, share, disclose, and engage with consumer data. To that end, it will impact the way e-commerce companies function both operationally (network and product architecture) and legally (compliance and regulatory issues).

If this bill passes, there will be a large impact on businesses, particularly those that are part of a larger ecosystem of organizations. The organizational impact will be on the consumer-facing side, the internal side, as well as the vendor management side. For many businesses, the impact is even greater as they have likely just come into compliance with or are working to come into compliance with the EU's General Data Protection Regulation, which came into effect on May 25, 2018.

To comply with the bill, businesses will need to create internal processes to properly and timely respond to consumer requests for information, requests for deletion, and requests to opt out of having their information sold. Businesses will also need to update their privacy policies and websites to provide the more stringent disclosures and methods for consumers to exercise their newly acquired rights. Vendor management and controls will also need to be updated to ensure compliance with the limitations provided for in the bill. Businesses heavily reliant upon analyzing data will need to heighten technological capabilities to ensure that personal information is de-identified.

For technology companies, this bill may create additional obstacles when building an ecosystem of different organizations, each bringing a unique aspect to the product or service. Consider the companies involved in creating certain mobile applications experiences for consumers to provide the various APIs and SDKs that enable the consumer experience. Each involved party will need to understand the data that the others are collecting, sharing, and selling, and obtain representations and warranties in their agreements to protect itself from a consumer class action or regulatory enforcement. As has already been demonstrated, all parties involved in an ecosystem will likely be responsible for the conduct of the others. Partners and vendors will need to be carefully vetted prior to engagement by business teams and legal counsel. Additionally, many contractual provisions such as licensing of data and indemnity will become greater points of contention in business-to-business deals and should be carefully discussed and reviewed with legal counsel.

California Measure No. 17-0039

(as of 6/26/2018)

California Assembly Bill 18-375

(as of 6/25/2018)
Effectively adds the following categories of information to the concept of "personal information":

" Records of purchases, services, and "consuming histories or tendencies";
  • Biometric data;
" Clickstream and "other electronic network activity information";
  • Geolocation data;
  • Consumer sensory information;
  • "Psychometric information";
  • Professional or employment-related information;
  • "Inferences drawn" from personal information.
Does not include "public information" and "de-identified information."
Effectively adds the following categories of information to the concept of "personal information":

" Records of personal property, products, or services, and "consuming histories or tendencies";
  • Biometric data;
" Clickstream and "other electronic network activity information";
  • Geolocation data;
  • Consumer sensory information;
  • Professional or employment-related information;
  • Educational information not publicly available;
  • "Inferences drawn" from personal information.
Does not include "public information" and "de-identified information." But public information does NOT include: (1) information that is used in a way not compatible with its original purpose, or (2) de-identified or aggregate information.
Personal information is not considered "de-identified" unless the business (1) undertakes technical and business processes to prevent re-identification, (2) has processes to prevent inadvertent release of de-identified information, and (3) makes no attempt to re-identify the information. Personal information is not considered "de-identified" unless the business (1) undertakes technical and business processes to prevent re-identification, (2) has processes to prevent inadvertent release of de-identified information, and (3) makes no attempt to re-identify the information.
Adds the concept of proportionality (i.e., "reasonably necessary") to the definition of "business purpose," which must have been permitted. Adds the concept of proportionality (i.e., "reasonably necessary") to the definition of "business purpose," which must have been permitted.
"Selling" personal information includes "releasing, disclosing, disseminating, making available" for "valuable consideration", and "sharing orally, in writing, or by electronic or other means" for "valuable consideration" or "for no consideration for a third party's commercial purpose. "Selling" personal information includes "releasing, disclosing, disseminating, making available" for "valuable consideration." Does not include third party processors who receive that information for only processing.
Collectors – Consumers have the right to request categories of personal information collected.

Sellers – Consumers have the right to request categories of personal information collected, and exactly to whom it was disclosed to.

Both may require a verifiable request.
Collectors – (1) Consumers have right to request categories of information collected, (2) from whom it was collected, (3) the specific business purposes for which it was collected, and (4) with whom it is shared.

Sellers – (1) Consumers have right to request categories of information sold, and (2) to whom it was sold. "Sellers" appear to be also "collectors."

Both may require a verifiable request. Certain exceptions to the above apply for truly "one time" uses.

Businesses that receive verifiable requests from consumers to delete their personal information, must delete, and direct any service providers to delete, such information. Compliance is not required if it is necessary for the business or service provider to maintain the personal information (such as for legal, security, or transactional needs).
Disclose and deliver required information to consumer within 45 days in writing and delivered through consumer's account, or by mail or electronically at consumer's option if consumer does not maintain account. Disclose and deliver required information to consumer within 45 days in writing and delivered through consumer's account, or by mail or electronically at consumer's option if consumer does not maintain account, "in a readily useable format that allows consumer to transmit this information from one entity to another entity without hindrance."
Contains express form requirements for disclosures, including for opt-out notices and online webforms and links. Contains express form requirements for disclosures, including for opt-out notices and online webforms and links.
Consumers have a right to say no to sale of their information at any time. Sellers have to provide an opt-out notice first before consumer information may be sold.

Seller must provide clear and conspicuous link on homepage to allow consumer to opt out of sale of personal information.
Consumers have a right to say no to the sale of their information at any time. Collectors have to provide an opt-out notice first before consumer information may be shared. Sellers have to obtain an "explicit notice" before they can sell information.

Minors under 16-years of age must "opt-in."

Seller must provide clear and conspicuous link on homepage to allow consumer to opt out of sale of personal information.

Clearer exceptions for: (1) completion of the business purpose with the consumer, (2) security and debugging purposes, and (3) comply with a legal purpose.
A privacy statement that describes: (1) a description of consumers' rights and the methods of submitting requests; (2) a list of categories of information collected; (3) a list of categories of information disclosed; (4) a list of categories of information sold. A privacy statement that describes: (1) a description of consumers' rights and the methods of submitting requests; (2) a list of categories of information collected; (3) a list of categories of information disclosed; (4) a list of categories of information sold.
Requirement that business not discriminate against consumers for exercising their rights under the title, including by:
  1. Denying goods or services;
  2. Charging different prices or imposing penalties;
  3. Providing a different quality of services;
  4. Suggesting the above.
Requirement that business not discriminate against consumers for exercising their rights under the title, including by:
  1. Denying goods or services;
  2. Charging different prices or imposing penalties;
  3. Providing a different quality of service;
  4. Suggesting the above;
...unless the above is related to differences resulting from "the value provided to the consumer by the consumer's data."

Business may offer financial incentives to consumers, however, to obtain their personal information. But the practices for this entire subsection may not be "unjust, unreasonable, coercive, or usurious."
Exceptions:
  1. to comply with federal, state, or local laws;
  2. cooperate with law enforcement;
  3. all activities take place outside of California;
  4. HIPAA exception;
  5. FCRA exception, for generation of a consumer report;
  6. Small businesses not covered by the definition of "business."
Exceptions:
  1. to comply with federal, state, or local laws;
  2. cooperate with law enforcement;
  3. all activities take place outside of California;
  4. HIPAA exception;
  5. FCRA exception, for generation of a consumer report;
  6. GLBA exception, for activities carried out for that purpose, "if it is in conflict with that law";
  7. DPPA exception, for activities carried out for that purpose, "if it is in conflict with that law";
  8. Small businesses not covered by the definition of "business."
Enforcement:
  1. Private right of action by consumers for between $1,000-$3,000 per violation in statutory or actual damages.
  2. State AG enforcement also available. Also gives prescriptive authority to AG.
Enforcement:
  1. Private right of action by consumers for between $100-$750 per violation in statutory or actual damages, after 30-notice to cure, if it can be cured. Consumer will then notify state AG, if any, whose action will terminate consumer action.
  2. State AG enforcement available for stiffer penalties (up to $7,500 per violation). Also gives prescriptive authority to AG.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.