Tag Archives: Privacy law

CA AB 375 – A Law That Will Change The Internet As We Know It

For those of you who do not have a life and hence follow the shenanigans of the legislative process in various states, today is a day that you will remember.

The California legislature was held hostage by real estate mogul Alastair Mactaggert.  Mactaggert spent $3 million of his own money (for him seat cushion money) to get the California Consumer Privacy Act on the ballot.

Here is the hostage part.

The ballot initiative would have built into the California Constitution consumer privacy protections similar to what just went into effect in Europe with the General Data Protection Initiative or GDPR.  Businesses were geared up to fight the intiative, planning to spend $100 million on it.  Mactaggert could have raised that much from his close friends, so there was going to be a battle.

Of course, no one knows if the ballot initiative would have passed, but if it did, if would have been impossible to change without another ballot initiative.

The alternative was for the legislature to pass a law, Assembly bill 375, that would mimic the major features of the ballot initiative, but would have been much more easily amended if there were unforeseen consequences.

TODAY was the deadline for pulling the ballot initiative.

So the legislature made a bargain from hell.  They passed the bill, Governor Brown signed it, but the bill has a poison pill in it.  If the ballot initiative isn’t pulled, the law is null and void.  Mactaggert agreed to pull the initiative if the bill is passed and signed.  He did pull the initiative today.

So tech companies get a law that has more wiggle room than the initiative would have had, but way less flexibility than what they can do today.

AND, unless they plan on having two Internets, one for California and one for the rest of the country, the change will affect everyone.

The bill was a work in progress up until the time is was voted on – we have seen that in Congress many times, so that should not surprise anyone.  Now that it has been signed into law, people will start dissecting it.  Without regard to the nuances, here  is what the San Jose Mercury News says about it.

First, the bill does not take effect until 2020, which is probably a fgood thing.

Like the GDPR, the law will allow consumers to know what data is collected on them, opt out of collection and hold companies accountable for data breaches.

When California passed the landmark privacy law SB 1386 in 2003, everyone thought they were crazy, and maybe they were, but 1386 is the basis of every privacy law in the United States.

CA AB 375 may do that again – leading the way.  The saying goes, “As goes California, so goes the rest of the country”.

The passing of this bill came right on the heels of the Exactis data breach of 340 MILLION people and businesses, so the California tech companies were playing Russian roulette with at least 4 bullets.  In light of this breach, would California voters enshrine a much more aggressive law into the Constitution?

One part of the bill that companies who do business in California are breathing a sigh of relief over is that, under AB 375 you and I can Sue a company for a breach – something that does not exist today – but under the ballot initiative, we could sue if they violated any part of the law.  Still, the threat of 30 million Californians suing you over a data breach should get the attention of most Board members.

In exchange for limiting the right to sue, residents can ask for what information companies have on them, twice a year, for free.  It also gives people the right to delete it.

For kids under 16, companies must get an opt-in to collect their data in the first place.

Google and Facebook want to change the law already, but I assume that if they stray too far, Mactaggart will dust off the initiative, which now will probably seem to many Californians like a tweak and the odds of passing a new initiative are greatly increased.

After today, Californians will expect this to be the new norm.

Facebook and Google’s trade group said that they want to change it so that Californians get all the benefits and opportunities consumers expect.  One of the benefits many consumers expect is a tiny little bit of privacy.  One of the benefits that Facebook and Google want to sell every little thing that they can find out about you.

A recent poll found that 73 percent of those polled think there should be more regulation of big tech companies, so I would say they (Facebook and Google and their friends) should be very careful about what they do or they may get something that they REEEEEALY don’t like – a new ballot initiative.

Professor Eric Goldman, Professor of Law at Santa Clara University School of Law, co-director of the school’s High Tech Law Institute and supervisor of the school’s Privacy Law Certificate writes an incredible blog.

Yesterday he wrote the longest blog post I have ever seen him write about this, at the time, bill.

I won’t even try to recreate the blog in this post, but a link to it is available at the end.

Professor Goldman calls the bill a privacy bomb.  Depending on which side you are on, it is either a good bomb or a bad bomb.

The bill creates what is now called the California Comsumer Privacy Act of 2018, effective in 18 months on January 1, 2020.

Just like GDPR, businesses of all sizes would need to create a mechanism to respond to consumer requests for data, deletion requests and data sharing limitations.  Businesses can decline to delete information if they meet one of the several allowances.

It prohibit a third party (like Exactis who was just breached) from selling personal data about a consumer unless the consumer has received explicit notice and has the right to opt out.  For businesses that are in the business of selling your data, this is a nightmare.

Just like GDPR, businesses have to provide a conspicuous link on their homepage for “Do Not Sell My Personal Information”.  Today, if there even is a way to do it, it is buried on page 22 of privacy policy full of dense legalese.

The bill would prohibit discrimination against a consumer because they exercised their rights under the law.  Discrimination includes denying goods or services to the consumer, charging different prices, providing a different level or quality of goods or services .

But there is a takeaway here.

They can charge a different price or different level of service if that difference is reasonably (are the lawyers paying attention) related to the value provided to the consumer by their data.  So, if Facebook can make say $5 a month per user by selling their data, they could say that if you don’t want us to sell your data, give us your credit card and we are going to charge you $5 a month.  Under that scenario they could not say that they want to charge you $25 a month.

Businesses are authorized to pay you to be allowed to sell your data (which somehow is different from charging you a different rate for selling your data),  Consumers would have to opt-in for that.

Like GDPR, businesses have to disclose a whole bunch of new information in their privacy policy.

Finally (this post is already way too long), the bill allows consumers to initiate a civil action and collect damages of between $100 and $750 per incident, or actual damages, whichever is GREATER, in case of a breach of unencrypted data.

Professor Goldman’s post has a lot of additional information, so please read it.

The bill does have an exemption for small businesses.  The law applies to businesses which meet ANY of these criteria:

  •  $25 million in revenue -OR-
  • Derives more than 50% of its revenue from selling data -OR-
  • Buys, sells, shares for commercial purposes or receives for commercial purposes the information on 50,000 or more consumers,  households or devices.  That means 137 visitors a day.

My guess is that the last item is the one that will catch most small businesses.

I will write more about this as the details become more solid. Professor Goldman wrote his blog based on a three day old version of the bill, so who knows what got added or deleted.

Information about the bill can be found on the Assembly’s web site, but as of tonight, the enrolled bill is not there.  Here is a link to the bill’s history.

Information for this post came from the San Joe Mercury News and Prof. Eric Goldman’s Privacy Blog.


Colorado Governor Signs New Cyber Security Bill Into Law

Effective September 1, 2018, *ALL* companies doing business in Colorado will have just 30 days to notify residents if their data was breached.  That is just one of the new rules.

The rules apply to both government entities and businesses, which is a bit of a surprise.  Different laws, but basically the same requirements.

What will businesses need to do?

  • Have a written policy for the destruction or proper disposal of paper and electronic documents containing personal information.
  • Implement and maintain reasonable security procedures and practices that are appropriate to the nature and size of the business.  While this gives you a lot of wiggle room, you may need to justify to a judge or the attorney general why you called your practices reasonable.
  • If you use any third party services (which is pretty much everybody), you must require that third party to implement and maintain reasonable security practices and procedures unless you choose to be liable for their practices instead (which is not a great idea).
  • In case of a breach, notify residents providing specific information about the breach.  If the business does not have sufficient information to contact residents directly or if the cost of contacting residents will exceed $250,000 (or a couple of other reasons), an alternate notification process will kick in, which includes a prominent notice on the company’s web site and notification via state-wide media.
  • If the breach affects more than 500 people, the business must notify the attorney general and if it affects more than 1,000 people, the business must also notify the credit reporting agencies.  Consumers cannot waive these rights in a contract or other agreement.
  • If encrypted data is breached, notification is not required if the encryption mechanism is not compromised.  This means that if a powered off laptop which is encrypted is stolen, then notification is likely not required, but otherwise, it probably is required.
  •  Criminal charges may be brought against a business under certain circumstances.

This law leaves a lot of leeway for the Attorney General to interpret things and the current AG was very active in shaping this bill, so I would not count on him being lax when it comes to prosecution.