Vous êtes sur la page 1sur 20

AB 375

Page 1

Date of Hearing: June 27, 2017

ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION


Ed Chau, Chair
AB 375 (Chau and Hertzberg) – As Amended June 25, 2018

INFORMATIONAL HEARING

SUBJECT: Privacy: personal information: businesses

SUMMARY: This bill would, effective January 1, 2020, enact the California Consumer Privacy
Act of 2018 to ensure, subject to certain exemptions, the privacy of Californians’ personal
information (PI), as defined, through various consumer rights including: the right to know what
PI is being collected about them and whether their PI is being sold and to whom; the right to
access their PI; the right to delete PI collected from them; the right to opt-out or opt-in to the sale
of their PI, depending on age of the consumer; and the right to equal service and price, even if
they exercise such rights. Specifically, this bill would:

Right of Access
1) Provide a consumer the right to request that a business that collects a consumer’s PI disclose
to that consumer the categories and specific pieces of PI the business has collected.

2) Require a business that collects a consumer’s PI to inform consumers, as specified, as to the


categories of PI to be collected and the purposes for which the categories of PI will be used.
Would prohibit a business from collecting additional categories of PI or using PI collected
for additional purposes without providing the consumer specified notice.

3) Require a business to provide, no more than twice in a 12 month period, the information
specified above, to a consumer only upon receipt of a verifiable consumer request, as
defined. More specifically, would require a business that receives a verifiable consumer
request to promptly take steps to disclose and deliver, free of charge to the consumer, the PI
required, as specified.

4) Specify that the above provisions relating to the consumer’s right to access their PI shall not
require a business to retain any PI collected for a single, one-time transaction, if such
information is not sold or retained by the business, or to reidentify or otherwise link
information that is not maintained in a manner that would be considered PI.

Right of Deletion
5) Provide a consumer the right to request that a business delete any PI about the consumer
which the business has collected from the consumer, and require a business that collects PI
about consumers disclose, as specified, the consumer’s rights to request the deletion of the
consumer’s PI.

6) Require a business that receives a verifiable request from a consumer to delete the
consumer’s PI, to delete the consumer’s PI from its records and direct any service providers
to delete the consumer’s PI from their records.
AB 375
Page 2

7) Specify that a business or a service provider is not required to comply with a consumer’s
request to delete the consumer’s PI if it is necessary for the business or service provider to
maintain the consumer’s PI in order to do various acts, including, among other things, to:

 complete the transaction for which the PI was collected, provide a good or service
requested by the consumer, or reasonably anticipated within the context of a business’s
ongoing business relationship with the consumer, or otherwise perform a contract
between the business and the consumer;

 detect security incidents, protect against malicio us, deceptive, fraudulent, or illegal
activity; or prosecute those responsible for that activity;

 exercise free speech, ensure the right of another consumer to exercise his or her right of
free speech, or exercise another right provided for by law;

 engage in public or peer-reviewed scientific, historical, or statistical research in the public


interest that adheres to all other applicable ethics and privacy laws, when the businesses’
deletion of the information is likely to render impossible or seriously impair the
achievement of such research, if the consumer has provided informed consent;

 comply with a legal obligation; or

 otherwise use the consumer’s PI, internally, in a lawful manner that is compatible with
the context in which the consumer provided the information.

Right to Know What PI is Collected


8) Provide a consumer the right to request that a business that collects PI about the consumer
disclose to the consumer the following: (1) the categories of PI it has collected about that
consumer; (2) the categories of sources from which the PI is collected; (3) the business or
commercial purpose for collecting or selling PI; (4) the categories of third parties with whom
the business shares PI; and (5) the specific pieces of PI it has collected about that consumer.

9) Require a business that collects PI about a consumer to disclose to the consumer, as


specified, the information above, upon receipt of a verifiable request from the consumer.

10) Specify that these provisions relating to the right to request what PI is collected about the
consumer do not require a business to do the following:

 retain any PI about a consumer collected for a single one-time transaction if, in the
ordinary course of business, that information about the consumer is not retained; or

 reidentify or otherwise link any data that, in the ordinary course of business, is not
maintained in a manner that would be considered PI.

Right to Know Whether PI is Sold


11) Provide a consumer the right to request that a business that sells the consumer’s PI, or that
discloses it for a business purpose, disclose to that consumer: (1) the categories of PI that the
business collected about the consumer; (2) the categories of PI that the business sold about
the consumer and the categories of third parties to whom the PI was sold, by category or
AB 375
Page 3

categories of PI for each third party to whom the PI was sold; and (3) the categories of PI that
the business disclosed about the consumer for a business purpose.

12) Require a business that sells PI about a consumer, or that discloses a consumer’s PI for a
business purpose, to disclose, as specified, the above information to the consumer upon
receipt of a verifiable request from the consumer.

13) Require a business that sells consumers’ PI, or that discloses consumers’ PI for a business
purpose, to disclose, as specified: (1) the category or categories of consumers’ PI it has sold,
or if the business has not sold consumers’ PI, to disclose that fact; and (2) the category or
categories of consumers’ PI it has disclosed for a business purpose, or if the business has not
disclosed the consumers’ PI for a business purpose, to disclose that fact.

14) Prohibit a third party from selling PI about a consumer that has been sold to the third party by
a business unless the consumer has received explicit notice and is provided an opportunity to
exercise the right to opt-out pursuant to the provisions below.

Right to Opt-Out or Opt-In


15) Provide a consumer the right, at any time, to direct a business that sells PI about the
consumer to third parties not to sell the consumer’s PI. This right may be referred to as the
“right to opt-out.”

16) Prohibit, notwithstanding the above, a business from selling a consumer’s PI if the business
has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in
the case of consumers between 13 and 16 years of age, or the consumer’s parent or guardian,
in the case of consumers who are less than 13 years of age, has affirmatively authorized the
sale of the consumer’s PI. A business that willfully disregards the consumer’s age will be
deemed to have had actual knowledge of the consumer’s age. This right may be referred to as
the “right to opt-in.”

17) Require a business that sells consumers’ PI to third parties to provide notice to consumers, as
specified, that this information may be sold and that consumers have the right to opt-out of
the sale of their PI.

Right of Equal Service


18) Prohibit a business from discriminating against a consumer because the consumer exercised
any of the consumer’s rights under this bill, such as by charging different prices or rates, or
providing a different level or quality of goods or services.

19) Provide that nothing in the provision above prohibits a business from charging a consumer a
different price or rate, or from providing a different level or quality of goods or services to
the consumer, if that difference is reasonably related to the value provided to the consumer
by the consumer’s data.

20) Authorize a business to offer financial incentives, including payments to consumers as


compensation, for the collection, sale, or deletion of PI. Would further authorize a business to
offer a different price, rate, level, or quality of goods or services to the consumer if that price
or difference is directly related to the value provided to the consumer by the consumer’s data.
This authorization would be subject to specific notice requirements and conditioned upon the
AB 375
Page 4

consumer providing prior opt-in consent, as specified, which may be revoked by the
consumer at any time.

21) Prohibit a business from using financial incentive practices that are unjust, unreasonable,
coercive, or usurious in nature.

Compliance
22) Specify the notice requirements that must be met in order for a business to comply with the
above requirements. All notices must be in a form that is reasonably accessible to consumers,
and include, among other things:

 Making available to consumers two or more designated methods for submitting requests
for information required to be disclosed pursuant to the provisions relating to the
consumer’s rights to know what information is collected and/or sold about them,
including a toll-free telephone number, and a website address, if available.

 Disclosing and delivering the required information to a consumer free of charge within
45 days of receiving a verifiable request from the consumer, as specified, though this
time period may be extended once by an additional 45 days when reasonably necessary,
provided the consumer is provided notice of the extension within the first 45-day period,
in a specified manner. A consumer cannot be required to create an account with the
business in order to make a verifiable request.

23) Require a business that must comply with the section relating to the consumer’s right to opt-
in or opt-out to do the following, among other things, in a form that is reasonably accessible
to consumers:

 Provide a clear and conspicuous link on the business’s internet homepage, titled “Do Not
Sell My Personal Information,” to an internet webpage that enables a consumer, as
specified, to opt-out of the sale of the consumer’s PI.

 Include a description of a consumer’s rights to opt-in or out, as specified, along with a


separate link to the “Do Not Sell My Personal Information” internet webpage in its online
privacy policy, if applicable, and any California-specific description of consumers’
privacy rights.

 For a consumer who has opted out of the sale of the consumer’s PI, respect the
consumer’s decision to opt-out for at least 12 months before requesting that the consumer
authorize the sale of the consumer’s PI.

24) Allow a consumer to authorize another person solely to opt-out of the sale of the consumer’s
PI on the consumer’s behalf, and would require a business to comply with such a request,
pursuant to regulations adopted by the Attorney General (AG).

Definitions
25) Define various terms for these purposes, including, among other things:

 “Business” to mean a sole proprietorship, partnership, limited liability company,


corporation, association, or other legal entity that is organized or operated for the profit or
AB 375
Page 5

financial benefit of its shareholders or other owners, that collects consumers’ PI, or on the
behalf of which such information is collected and that alone, or jointly with others,
determines the purposes and means of the processing of consumers’ PI, that does
business in California, and that satisfies one or more of the following thresholds:

o Has annual gross revenues in excess of $25,000,000, as adjusted as specified.

o Alone or in combination, annually buys, receives for the business’s commercial


purposes, sells, or shares for commercial purposes, alone or in combination, the PI of
50,000 or more consumers, households, or devices.

o Derives 50 percent or more of its annual revenues from selling consumers’ PI.

 “Business” would also mean any entity that controls or is controlled by a business, as
defined, above, and that shares common branding with the business, as specified.

 “Business purpose” to mean the use of PI for the business’s or a service provider’s
operational purposes, or other notified purposes, provided that the use of PI shall be
reasonably necessary and proportionate to achieve the operational purpose for which the
PI was collected or processed or for another operational purpose that is compatible with
the context in which the PI was collected. Business purposes are, among other things:

o auditing, as specified;

o detecting security incidents, protecting against malicious, deceptive, fraudulent, or


illegal activity, and prosecuting those responsible for that activity;

o debugging to identify and repair errors that impair existing intended functionality;

o short-term, transient use, provided the PI that is not disclosed to another third party
and is not used to build a profile about a consumer or otherwise alter an individual
consumer’s experience outside the current interaction, including, but not limited to,
the contextual customization of ads shown as part of the same interaction.

o performing services on behalf of the business or service provider, including


maintaining or servicing accounts, providing customer service, processing or
fulfilling orders and transactions, verifying customer information, processing
payments, providing financing, providing advertising or marketing services,
providing analytic services, or providing similar services on behalf of the business or
service provider;

o undertaking internal research for technological development and demonstration; and

o undertaking activities to verify or maintain the quality or safety of a service or device


that is owned, manufactured, manufactured for, or controlled by the business, and to
improve, upgrade, or enhance the service or device that is owned, manufactured,
manufactured for, or controlled by the business.
AB 375
Page 6

 “Collects” to mean buying, renting, gathering, obtaining, receiving, or accessing any PI


pertaining to a consumer by any means. This would include receiving information from
the consumer, either actively or passively, or by observing the consumer’s behavior.

 “Personal information” to mean information that identifies, relates to, describes, is


capable of being associated with, or could reasonably be linked, directly or indirectly,
with a particular consumer or household. PI includes, but is not limited to, the following:

o Identifiers such as a real name, alias, postal address, unique personal identifier, online
identifier Internet Protocol address, email address, account name, social security
number, driver’s license number, passport number, or other similar identifiers.

o Any categories of PI described in subdivision (e) of Section 1798.80 (see Existing


Law, below).

o Characteristics of protected classifications under California or federal law.

o Commercial information, as specified.

o Biometric information.

o Internet or other electronic network activity information, including, but not limited to,
browsing history, search history, and information regarding a consumer’s interaction
with an internet website, application, or advertisement.

o Geolocation data.

o Audio, electronic, visual, thermal, olfactory, or similar information.

o Professional or employment-related information.

o Education information, defined as information that is not publicly available


personally identifiable information as defined in the Family Educational Rights and
Privacy Act.

o Inferences drawn from any of the information identified in this subdivision to create a
profile about a consumer reflecting the consumer’s preferences, characteristics,
psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and
aptitudes.

 “Personal information” would exclude publicly available information. For these


purposes, “publicly available” would mean information that is lawfully made available
from federal, state, or local government records, if any conditions associated with such
information. “Publicly available” would not include biometric information collected by a
business about a consumer without the consumer’s knowledge. Further, information
would not be “publicly available” if that data is used for a purpose that is not compatible
with the purpose for which the data is maintained and made available in the government
records or for which it is publicly maintained. Lastly, “publicly available” would exclude
consumer information that is deidentified or aggregate consumer information.
AB 375
Page 7

 “Sell,” “selling,” “sale,” or “sold,” to mean selling, renting, releasing, disclosing,


disseminating, making available, transferring, or otherwise communicating orally, in
writing, or by electronic or other means, a consumer’s PI by the business to another
business or a third party for monetary or other valuable consideration.
For purposes of this title, a business does not “sell” PI when, among other things:

o A consumer uses or directs the business to intentionally disclose, as specified, PI or


uses the business to intentionally interact with a third party, provided the third party
does not also sell the PI, unless that disclosure would be consistent with this bill.

o The business uses or shares an identifier for a consumer who has opted out of the sale
of the consumer’s PI for the purposes of alerting third parties that the consumer has
opted out of the sale of the consumer’s PI.

o The business uses or shares with a service provider PI of a consumer that is necessary
to perform a business purpose if both of the following conditions are met: (i) the
business has provided notice that information being used or shared in its terms and
conditions, as otherwise specified under the bill; and (ii) the service provider does not
further collect, sell, or use the PI of the consumer except as necessary to perform the
business purpose.

Exemptions
26) Provide for specified exemptions, which include, among other things, that:

 The obligations imposed on businesses by this bill shall not restrict a business’s abilit y to
do the following:

o Comply with federal, state, or local laws.

o Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or


summons by federal, state, or local authorities.

o Cooperate with law enforcement agencies concerning conduct or activity that the
business, service provider, or third party reasonably and in good faith believes may
violate federal, state, or local law.

o Exercise or defend legal claims.

o Collect, use, retain, sell, or disclose consumer information that is deidentified or in


the aggregate consumer information.

o Collect or sell a consumer’s PI if every aspect of that commercial conduct takes place
wholly outside of California, as specified.

 The specified rights under this bill shall not apply where compliance by the business
would violate an evidentiary privilege under California law and shall not prevent a
business from providing the PI of a consumer to a person covered by an evidentiary
privilege under California law as part of a privileged communication.
AB 375
Page 8

 This bill shall not apply to protected or health information that is collected by a covered
entity governed by the Confidentiality of Medical Information Act under state law, or
governed by the privacy, security, and breach notification rules issued by the federal
Department of Health and Human Services, established pursuant to the Health Insurance
Portability and Availability Act of 1996, as specified.

 This bill shall not apply to the sale of PI to or from a consumer reporting agency if that
information is to be reported in, or used to generate, a consumer report as defined
pursuant to federal law, and use of that information is limited by the federal Fair Credit
Reporting Act.

27) Specify that a time period for a business to respond to any verified consumer request may be
extended by up to 90 additional days where necessary, taking into account the complexity
and number of the requests. The business must inform the consumer of any such extension
within 45 days of receipt of the request, together with the reasons for the delay.

28) Specify that a business that discloses PI to a service provider shall not be liable if the service
provider receiving the PI uses it in violation of the restrictions set forth in this bill, provided
that, at the time of disclosing the PI, the business does not have actual knowledge, or reason
to believe, that the service provider intends to commit such a violation. A service provider
shall likewise not be liable for the obligations of a business for which it provides services as
set forth in this bill.

29) Prohibit this bill from being construed to require a business to reidentify or otherwise link
information that is not maintained in a manner that would be considered PI.

30) Provide that the rights afforded to consumers and the obligations imposed on businesses in
this bill shall not adversely affect the rights and freedoms of other consumers.

Limited Private Right of Action for Data Breaches


31) Provide for a limited private right of action, as specified. Specifically, would authorize any
consumer whose nonencrypted or nonredacted PI, as otherwise defined under the state’s
existing information security law, is subject to an unauthorized access and exfiltration, theft,
or disclosure as a result of the business’s violation of the duty to implement and maintain
reasonable security procedures and practices appropriate to the nature of the information to
protect the PI, to institute a civil action for any of the following:

 To recover damages in an amount not less than $100 and not greater than $750 per
consumer per incident or actual damages, whichever is greater.

 Injunctive or declaratory relief.

 Any other relief the court deems proper.

32) Require the court, in assessing the amount of statutory damages, to consider any one or more
of the relevant circumstances presented by any of the parties to the case, including, but not
limited to, the nature and seriousness of the misconduct, the number of violations, the
persistence of the misconduct, the length of time over which the misconduct occurred, the
willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities, and net
worth.
AB 375
Page 9

33) Require the following requirements to be met for actions to be brought by a consumer
pursuant to this provision authorizing a private right of action for data breaches:

 First, prior to initiating any action against a business for statutory damages on an
individual or class-wide basis, a consumer must generally provide a business 30 days’
written notice identifying the specific provisions of this bill the consumer alleges have
been or are being violated. In the event a cure is possible, if within the 30 days the
business cures the noticed violation and provides the consumer an express written
statement that the violations have been cured and that no further violations shall occur, no
action for individual statutory damages or class-wide statutory damages may be initiated
against the business. If a business continues to violate this bill in breach of the express
written statement provided to the consumer under this section, the consumer may initiate
an action against the business to enforce the written statement and may pursue statutory
damages for each breach of the express written statement, as well as any other violation
of this bill that postdates the written statement.

 Second, a consumer bringing an action as defined shall notify the AG within 30 days that
the action has been filed.

 Third, the AG, upon receiving such notice shall, within 30 days, do one of the following:

o Notify the consumer bringing the action of the AG’s intent to prosecute an action
against the violation. If the AG does not prosecute within six months, the consumer
may proceed with the action.

o Refrain from acting within the 30 days, allowing the consumer bringing the action to
proceed.

o Notify the consumer bringing the action that the consumer shall not proceed with the
action.

34) Specify that nothing in this bill shall be interpreted to serve as the basis for a private right of
action under any other law. This shall not be construed to relieve any party from any duties
or obligations imposed under other law or the United States or California Constitution.

Attorney General Enforcement


35) Provide authorization for any business or third party to seek the opinion of the AG for
guidance on how to comply with the provisions of this bill.

36) Provide that a business shall be in violation of this bill if it fails to cure any alleged violation
within 30 days after being notified of alleged noncompliance. Any business, service provider,
or other person that violates this title shall be liable for a civil penalty as provided in the
Unfair Competition Law (UCL), as specified, in a civil action brought in the name of the
people of the State of California by the AG. Would further provide that these civil penalties
shall be exclusively assessed and recovered in a civil action brought in the name of the
people of the State of California by the AG.

37) Notwithstanding the civil penalties available under the UCL, as specified:
AB 375
Page 10

 any person, business, or service provider that intentionally violates this bill may be liable
for a civil penalty of up to $7,500 for each violation.

 any civil penalty assessed pursuant to the UCL for a violation of this bill, and the
proceeds of any settlement of an action brought pursuant to the provision above, must be
allocated as follows, subject to adjustment:

o 20 percent to the Consumer Privacy Fund, created within the General Fund, as
specified, with the intent to fully offset any costs incurred by the state courts and the
AG in connection with this title.

o 80 percent to the jurisdiction on whose behalf the action leading to the civil penalty
was brought.

Other provisions relating to Fund, Delayed Implementation, Preemption, and Construction


38) Specify that this bill is intended to further the constitutional right of privacy and to
supplement existing laws relating to consumers’ PI, as specified. The provisions of this bill
are not limited to information collected electronically or over the internet, but apply to the
collection and sale of all PI collected by a business from consumers. Wherever possible, law
relating to consumers’ PI should be construed to harmonize with the provisions of this bill,
but in the event of a conflict between other laws and the provisions of this title, the
provisions of the law that afford the greatest protection for the right of privacy for consumers
shall control.

39) Require the AG, on or before this bill’s delayed implementation date of January 1, 2020, to
solicit broad public participation to adopt regulations to further the purposes of this bill,
including, but not limited to, the following areas:

 Updating as needed additional categories of PI to those enumerated, above, in order to


address changes in technology, data collection practices, obstacles to implementation,
and privacy concerns.

 Establishing any exceptions necessary to comply with state or federal law, including, but
not limited to, those relating to trade secrets and intellectual property rights, within one
year of passage of this title and as needed thereafter.

 Establishing rules and procedures for the following, within one year of passage of this
bill and as needed thereafter:

o To facilitate and govern the submission of a request by a consumer to opt-out of the


sale of PI, as specified.

o To govern business compliance with a consumer’s opt-out request.

o The development and use of a recognizable and uniform opt-out logo or button by all
businesses to promote consumer awareness of the opportunity to opt-out of the sale of
PI.

 Establishing rules, procedures, and any exceptions necessary to ensure that the notices
and information that businesses are required to provide pursuant to this title are provided
AB 375
Page 11

in a manner that may be easily understood by the average consumer, are accessible to
consumers with disabilities, and are available in the language primarily used to interact
with the consumer, including establishing rules and guidelines regarding financial
incentive offerings, within one year of passage of this bill and as needed thereafter.

40) Specify that:

 This bill shall be liberally construed to effectuate its purposes.

 If a series of steps or transactions were component parts of a single transaction intended


from the beginning to be taken with the intention of avoiding the reach of this bill,
including the disclosure of information by a business to a third party in order to avoid the
definition of sell, a court must disregard the intermediate steps or transactions for
purposes of effectuating the purposes of this bill.

 Any provision of a contract or agreement of any kind that purports to waive or limit in
any way a consumer’s rights under this bill, including, but not limited to, any right to a
remedy or means of enforcement, shall be deemed contrary to public policy and shall be
void and unenforceable, as specified.

41) Include a delayed implementation date of January 1, 2020, a preemption clause, and a
severability clause, as specified.

42) Specify that the bill shall become operative only if a specified initiative measure, measure
No. 17-0039, The Consumer Right to Privacy Act of 2018, is withdrawn from the ballot
pursuant to existing law.

43) Include various findings and declarations.

EXISTING LAW:

1) Provides that, among other rights, all people have an inalienable right to pursue and obtain
privacy. (Cal. Const., art., Sec. 1.)

2) Establishes the information security law, which requires a business that owns, licenses, or
maintains PI, as defined, about a California resident to implement and maintain “reasonable
security procedures and practices appropriate to the nature of the information,” to protect the
PI from unauthorized access, destruction, use, modification, or disclosure. (Civ. Code Sec.
1798.81.5(b).)

3) Further requires a business that discloses PI about a California resident pursuant to a contract
with a nonaffiliated third party that is not subject to the above provision to require by
contract that the third party implement and maintain “reasonable security procedures and
practices appropriate to the nature of the information,” to protect the PI from unauthorized
access, destruction, use, modification, or disclosure. (Civ. Code Sec. 1798.81.5(c).)

4) Defines personal information, for purposes of Section 1798.80 and the state’s data breach
laws, generally, to mean: any information that identifies, relates to, describes, or is capable of
being associated with, a particular individual, including, but not limited to, his or her name,
signature, social security number, physical characteristics or description, address, telephone
AB 375
Page 12

number, passport number, driver’s license or state identification number, insurance policy
number, education, employment, employment history, bank account number, credit card
number, debit card number, or any other financial information, medical information, or
health insurance information. “Personal information” for these purposes, does not include
publicly available information that is lawfully made available to the general public from
federal, state, or local government records. (Section 1798.80(e).)

5) Requires, under the Privacy Rights for California Minors in the Digital World, that an
operator of an internet website, online service, online application, or mobile application that
is directed to minors or that has actual knowledge that a minor is using its internet website,
online service, online application, or mobile application shall do all of the following:

 Permit a minor who is a registered user, as specified, to remove or, if the operator prefers,
to request and obtain removal of, content or information posted on the operator’s internet
website, online service, online application, or mobile application by the user.

 Provide notice to a minor who is a registered user that the minor may remove or, if the
operator prefers, request and obtain removal of, posted content or information, as
specified.

 Provide clear instructions to a minor who is a registered user on how the user may
remove or, if the operator prefers, request and obtain the removal of posted content or
information.

 Provide notice to a minor who is a registered user that the removal does not ensure
complete or comprehensive removal of the posted content or information. (Bus. & Prof.
Code Sec. 22581(a).)

6) An operator or a third party is not required to erase or otherwise eliminate, or to enable


erasure or elimination of, content or information in certain circumstances, such as where:

 Any other provision of federal or state law requires the operator or third party to maintain
the content or information.

 The content or information was stored on or posted to the operator’s internet website,
online service, online application, or mobile application by a third party other than the
minor, who is a registered user, including any content or information posted by the
registered user that was stored, republished, or reposted by the third party.

 The operator anonymizes the content or information posted by the minor who is a
registered user, so that the minor cannot be individually identified.

 The minor has received compensation or other consideration for providing the content.
(Bus. & Prof. Code Sec. 22581(b).)

7) Specifies that these provisions shall not be construed to require an operator of an Internet
Web site, online service, online application, or mobile application to collect age information
about users. (Bus. & Prof. Code Sec. 22581(e).)
AB 375
Page 13

8) Requires, under the California Online Protection Privacy Act (CalOPPA), that an operator of
a commercial website or online service that collects personally identifiable information (PII)
through the internet about individual consumers residing in California who use or visit its
website or service to conspicuously post its privacy policy on its website, or in the case of an
operator of an online service, make that policy available in accordance with specified law.
An operator is only deemed to be in violation of CalOPPA if it fails to post its policy within
30 days after being notified of noncompliance. (Bus. & Prof. Code Sec. 22575(a).)

9) The privacy policy required above, must, among other things:

 Identify the categories of PII that the operator collects through the website or online
service about individual consumers who use or visit its commercial website or online
service and the categories of third-party persons or entities with whom the operator may
share that PII.

 Describe the process by which the operator notifies consumers who use or visit its
commercial website or online service of material changes to the operator’s privacy policy
for that website or online service.

 Disclose whether other parties may collect PII about an individual consumer’s online
activities over time and across different website when a consumer uses the operator’s
website or service. (Bus. & Prof. Code Sec. 22575(b).)

10) Provides that an operator of a commercial website or online service that collects PII through
the website or online service from individual consumers who use or visit the commercial
website or online service and who reside in California shall be in violation of this section if
the operator fails to comply with the provisions, above, or with the provisions of its posted
privacy policy in either of the following ways: (1) knowingly and willfully; or (2) negligently
and materially. (Bus. & Prof. Code Sec. 22576.)

FISCAL EFFECT: Unknown

COMMENTS:

1) Purpose of this bill: This bill seeks to enact the California Consumer Privacy Act of 2018 to
further the privacy rights of Californians by providing consumers an effective way to control
the collection and sale of their PI by businesses, service providers, and third parties. This bill
is sponsored by Common Sense Kids Action.

2) Author’s statement: According to the author, “Americans value their privacy, be it in the
physical world or online. A 2014 PEW Research Center study found that 91% of adults agree
that ‘consumers have lost control over how personal information is collected and used by
companies.’ A subsequent study in 2016 found that “some 74% say it is ‘very important’ to
them that they be in control of who can get information about them, and 65% say it is ‘very
important’ to them to control what information is collected about them. The same study
found that 64% of Americans believe that the government should do more to regulate what
advertisers do with their personal information.

The unregulated and unauthorized disclosure of personal information and the resulting loss of
privacy can have devastating effects for individuals, ranging from financial fraud, identity
AB 375
Page 14

theft, and unnecessary costs to personal time and finances, to the destruction of property,
harassment, reputational damage, emotional stress, and even potential physical harm.

The recent data breaches that have affected millions of people – those experienced by Target,
Equifax, Cambridge Analytica, and many more – have also raised concerns from Internet
users around the world. In fact, ‘a majority of Americans (64%) have personally experienced
a major data breach, and relatively large shares of the public lack trust in key institutions –
especially the federal government and social media sites – to protect their personal
information.’

The prevalence of these occurrences and uncertainty about what data is being collected about
individuals has drawn the ire of consumer and public interest groups, while the threat of
restrictive regulation worries technology companies, many of which are headquartered in
California and employ thousands of individuals here.

The Europe Union has recently enacted new privacy laws through its General Data
Protection Regulation (GDPR), which is designed to give consumers more control over their
data. California consumers should similarly be able to exercise control over their personal
information, and should have reasonable certainty that there are safeguards in place to protect
against the misuse of their personal information. It is possible for businesses both to respect
consumers’ privacy and provide a high level of transparency with respect to their business
practices.”

3) Legislative effort to reach agreement obviating need for ballot initiative : This bill
represents a legislative effort to reach an agreement on issues relating to the collection and
sale of consumers’ PI by businesses, both online and otherwise, that are also the subject of an
initiative measure which will otherwise be placed on this November’s ballot. As reflected in
this bill, AB 375 would only take effect if the initiative is pulled from consideration from the
ballot. It is the understanding of staff that the initiative may only be pulled up to 5 p.m. on
June 28, 2018, through the Secretary of State’s office.

Given the shortened timeframe for the houses to consider this matter in light of the timing of
the agreement reached between the authors and the initiative proponent and the “72 hour
rule” enacted by voters by way of Proposition 54 in 2016 (generally prohibiting the
Legislature from passing legislation that has been amended within the previous 72 hours
before the vote), the informational hearing held today enables full testimony to be taken on
the bill in policy committee for the Assembly.

4) Bill expands upon rights that initiative would have attempted to establish: This bill
seeks to strike an appropriate balance between a variety of competing interests between
consumer and privacy groups on one side and the business, telecommunications, and
technology industry on the other. The proponents of the initiative sought to ensure that the
privacy rights of Californians were better protected with respect to certain business practices.
The industry raised a number of concerns related to the initiative, including issues with
workability, and a number of concessions have been made on both sides.

Specifically, AB 375 seeks to enact the California Consumer Privacy Act of 2018, operative
beginning January 1, 2020, to generally ensure a person’s right to access their PI; the right to
delete PI collected from them; right to know what PI is being collected about them and
AB 375
Page 15

whether their PI is being sold and to whom; the right to opt-out or opt-in to the sale of their
PI, depending on age of the consumer; and the right to equal service and price. In contrast to
the initiative, which includes many but not all of those same rights, this bill enhances various
consumer rights and protections, by, among other things:

 Ensuring that consumers can access the PI that business collects about them, not just in
terms of the categories of PI collected, but also with respect to the specific pieces of PI
that the business has collected. Moreover, if this information is provided electronically,
AB 375 ensures that the information must be in a portable and, to the extent technically
feasible, in a readily useable format that allows the consumer to transmit this information
to another entity without hindrance.

 Establishing the right of consumers to request the deletion of the PI that a business has
collected from the consumer (as opposed to from other consumers, in order to protect
First Amendment rights of those other consumers), subject to certain exceptions.

 Expanding the right of consumers to know what PI a business has collected about them to
include the ability to find out not just the categories of PI collected, but also the specific
pieces of PI that the business has collected about that consumer. Moreover, AB 375
grants the consumer a right to know the sources from which the PI is collected, as well as
the business or commercial purpose for collecting or selling the PI.

 Addressing the PI of children separately from that of parents or guardians, as opposed to


classifying all children’s information as a subcategory of the parent’s PI.

In addition to these items, AB 375’s provisions differ from the initiative measure by
addressing the recent Cambridge Analytica situation head on (wherein the PI of at least 87
million Facebook users was harvested and used by a “third party” in an effort to influence the
2016 U.S. presidential election), and clearly prohibiting third parties from further selling or
disclosing information received from a business unless the third party complies with the
provisions of this bill.

Staff notes that yet another significant difference between this bill and the initiative is that
the “publicly available” exception to PI in this bill excludes language from the initiative
which states that publicly available information (and thus, not “PI” under the initiative) is
information that is “available to the general public.” This difference should remove any
doubt that information about individuals, and particularly younger generations, that is not
privately held, whether by that individual’s choice or not (e.g., information found on a
person’s social media posts or the posts of their friends) is not “publicly available” and, thus,
exempt from the definition of PI. To exclude such information from the definition of PI
could have significant unintended consequences and could very well result in litigation to
determine whether or not certain information is “available to the general public” or not.

5) Limited private right of action and other changes to the initiative to address industry
concerns: As discussed in Comment 4, above, in order to reach a legislative compromise on
the issues surrounding the collection and sale of a consumer’s PI by a business, the authors of
this legislation have sought to both add protections to the initiative, and remove various
provisions that raised workability issues/legitimate business practice concerns and otherwise
AB 375
Page 16

limit liability exposure. The tradeoffs to address industry concerns and counterbalance the
consumer rights added within this bill, include the following:

 the removal of the initiative’s whistleblower provisions;

 a significant reduction of business’ liability exposure pursuant to consumer-initiated


actions;

 a right to cure, when possible, both in the public and private enforcement provisions;

 a limitation of public enforcement to actions by the AG and explicit authorization to


receive guidance from the AG on compliance as the single regulatory entity;

 a recognition of the ability of businesses to engage in various research-related activities,


such for internal research and development, or other allowable forms of research with
specified safeguards that would both ensure informed consent and better protect the
consumers’ information used in the research;

 additional express exemptions, such as to exercise or defend legal claims, or for PI


collected, processed, sold, or disclosed pursuant to certain federal laws, if the handling of
the PI is in conflict with that those laws.

 language clarifying that businesses are not required to retain PI in situations where they
would not ordinarily maintain that information (which would also undermine consumer
protections);

 authorization to engage in certain financial incentive programs, as specified, such as free


subscription services in exchange for advertising where the value to the consumer is
based on the consumer’s data, as long as the financial incentive program is not unjust,
unreasonable, coercive, or usurious and is directly related to the value provided to the
consumer by the consumer’s data;

 a narrowing of the definition of “sell” to remove reference to situations that do not


involve valuable consideration; and

 limit the obligation of businesses to reveal to consumers to whom the consumer’s PI was
collected and shared with, or sold to or disclosed for a business purpose to, to
“categories” of third parties, as opposed to specific third parties.

With respect to enforcement specifically, would create a limited private right action for
consumers whose information is subject to specified data breaches, and would otherwise
generally provide for enforcement of the rights and obligations of the bill by way of public
enforcement by the AG. This limitation on the private right of action, however, does not
relieve any parties from their duties and obligations under any other law or the constitution.
As indicated above, the bill would also recognize the ability of businesses to seek guidance
from the AG about how to comply with the provisions of this bill, to ensure a single
enforcement/regulatory entity. To that end, the AG would also be charged with adopting
regulations in furtherance of this bill. These regulations would include, among other things,
regulations on the financial incentive programs authorized under this bill.
AB 375
Page 17

6) Reconciling the prohibition against discrimination for exercising the consumer’s rights
with the provision allowing for financial incentive programs: Similar to the initiative, AB
375 prohibits a business from discriminating against a consumer because the consumer
exercised any of the consumer’s rights under the bill. Such discrimination may take the
following forms, among other things: (1) denying goods or services to the consumer; (2)
charging different prices or rates for goods or services, including through the use of discounts
or other benefits or imposing penalties; (3) providing a different level or quality of goods or
services to the consumer; or (4) suggesting that the consumer will receive a different price or
rate for goods or services or a different level or quality of goods or services. Unlike the
initiative however, the bill specifies that nothing in the above provisions prohibits a business
from charging a consumer a different price or rate, or from providing a different level or
quality of goods or services to the consumer, if that difference is reasonably related to the
value provided to the consumer by the consumer’s data.

In addition, the bill provides that a business may offer consumers financial incentives,
including payments to consumers as compensation, for the collection, sale, or deletion of PI.
A business may also offer a different price, rate, level, or quality of goods or services to the
consumer if that price or difference is directly related to the value provided to the consumer
by the consumer’s data. The business, however, is prohibited from using financial incentive
practices that are unjust, unreasonable, coercive, or usurious in nature. Additionally, the bill
subjects businesses that offer financial incentives to consumers to various notice
requirements, and specifies that a business may enter into a consumer into a financial
incentive program only if the consumer provides prior opt-in consent which clearly describes
the material terms of the program and which may be revoked by the consumer at any time.

Such provisions would authorize a business model by which consumers are allowed to elect
to use free subscriptions in exchange for advertising or sign up for a paid subscription, such
as with Spotify, for example. Ultimately, the bill anticipates that the AG will develop
regulations by the time it becomes operative regarding financial incentive offerings which
presumably will help reconcile these provisions to prevent discriminatory pay for privacy
regimes.

7) Bill compared with the European Union’s new GDPR: As discussed in Comment 4, this
bill includes several elements that not included in the initiative. Many of those concepts are
similarly addressed in the European Union’s privacy law, the General Data Protection
Regulation (GDPR), which took effect in May of this year. Among these are: that a business
has to provide a consumer specific information they have collected about the consumer; that
minors receive special protections; that the consumer can request that a business delete PI
that was collected from the consumer; and that the consumer has a right to data portability (or
rather, the right to ask a business for access to the information that the business has collected
about the consumer and to move that PI from one entity to another without hindrance).

8) Clean up “trailer bill” presumably to follow: This bill includes a delayed implementation
of January 1, 2020, to allow for businesses to prepare and for the Legislature to enact clean
up legislation to correct errors in the drafting of this legislation, as well as clarify provisions
further for stakeholders, if possible. Some stakeholders, including some of the opponents
listed in this analysis, have written to identify corrections necessary. For example, the
California Hospital Association (CHA) writes an “oppose unless amended” letter, stating that
while AB 375 recognizes the myriad health information privacy laws and attempts to exempt
AB 375
Page 18

health care entities, the bill’s current “exemption language is improperly drafted. CHA has
provided to the author suggested amendments that would address the errors.”

9) Arguments in support: In support, the Consumer Attorneys of California writes that AB


375 will “move California a step forward in protecting Californians’ constitutional right to
privacy. In the aftermath of the Equifax scandal, Consumer Attorneys of California co-
sponsored SB 1121 (Dodd) in order to incentivize the protection of consumer data and
prevent future breaches. Although a much narrower and limited approach, AB 375 takes a
positive step towards protecting consumers’ data.”

Consumer Watchdog writes in support of this bill because, while “AB 375 is not perfect […
it] is a substantial forward step for privacy protection in California.” Specifically, it writes:

AB 375 makes substantial steps toward providing real ways to protect our privacy rights.
[…] Importantly the bill provides for statutory damages and a right to private action in
the event of a data breach. While there are some limits on the private action right, no
provision for any private right of action exists in current data breach law. The bill
provides business can’t deny service because you won’t allow information to be sold.
They could charge more, but any such charge cannot be: “unjust, unreasonable, coercive
or usurious.” Also, the difference in price or service must be “directly related to the value
provided to the consumer by the consumer’s data.”

Currently there are no protections that would ensure service if you refuse to have your
data sold. Under AB 375, if a charge is levied, it will make the practice transparent so
consumers understand what is at stake. Additionally, we expect the attorney general to
implement regulations that will protect consumers from predatory practices.

The Center for Humane Technology echoes some of these points and adds, in support, that
“CalCPA [AB 375] also establishes crucial protections for children under 16, who face new
challenges as the first generation to grow up online and whose digital wellbeing will have a
profound effect on their personal development. In recognition of the unique needs of kids in
the digital age, CalCPA would require that children under 16, and parents or guardians for
children under 13, must opt-in before a company can sell their personal information[.] When
California[n]s are online, whether at school or at home, it is absolutely vital that their privacy
is protected. CalCPA is an essential first step in ensuring the privacy of kids, families, and all
consumers.”

CALPIRG writes a support if amended letter noting concerns about ensuring that companies
do not engage in price discrimination and concern with the enforcement provisions, but is
otherwise supportive given the provision allowing for a private right of action for data
breaches included from SB 1121 (Dodd).

10) Arguments in opposition: The California Cable & Telecommunications Association


(CCTA) writes in opposition that “AB 375 is overly broad and would impose significant
operational costs on businesses without significantly improving privacy for consumers.” To
this end, CCTA identifies four specific issues with the bill:
AB 375
Page 19

 Personal Information Definition: arguing that the focus of this key definition should be,
as it is in California’s Shine the Light and CalOPPA laws, on specific individuals, not on
devices or households.

 Data Breach Safe Harbor: stating that “[t]he bill should include a safe harbor for entities
that are subject to third-party security assessments, and have received certifications from,
independent security assessment firms.”

 Arbitration Clauses: requesting clarity that this bill does not prohibit arbitration clauses in
contracts.

 Data Portability Mandate: arguing that “such a requirement will be impossible for most
businesses to achieve operationally, especially given the bill’s very broad definition of
personal information.”

Also in opposition, the Media Alliance writes that it opposes “the last minute deal to rush
through broadband privacy legislation prior to June 28th in order to remove the California
Consumer Privacy Act from the fall ballot. We do this in spite of the fact that we are quite
eager and in fact somewhat desperate for the Legislature to act on online privacy.” Media
Alliance argues that this bill weakens the ballot initiative. Specifically, it raises issue with
what it characterizes as “codifying price discrimination for privacy.” It also argues in
opposition because of the narrowed definition of “sale” which eliminates application of the
bill to the transfer any transfer of data for which valuable consideration has not been
provided. Furthermore, Media Alliance objects to the consumer’s limited right of
remediation under the narrowed private right of action.

A coalition of businesses and organizations in opposition, led by the California Chamber of


Commerce, writes that:

[…] the business community is in an untenable situation. Although AB 375 is deeply


flawed, the “privacy initiative” is even worse. The stakes are of this initiative are
enormous because if the initiative is passed, then the Legislature will be virtually unable
to amend the law in the future. So, at this late hour, we prefer the legislative process to
the initiative process, which leaves very little room to amend or update this law for
businesses and technology constantly evolving for the betterment of California.

The business community has been and remains interested in and dedicated to crafting
reasonable privacy legislation. We strongly urge the Legislature to consider the numerous
problems presented by this bill and to fix them as we move forward. These include, but
are not limited to, the issues surrounding enforcement, definitions of personal
information and sale, consumer transparency and access, the right to delete information,
certain opt-in rights, the mandated ‘opt-out’ button, the creation of GDPR-like rights in
language that differs from the GDPR, the Attorney General’s regulatory process, and
confusing language that will be difficult for businesses and consumers to understand.”
AB 375
Page 20

REGISTERED SUPPORT / OPPOSITION:

Support

Common Sense Kids Action (sponsor)


CALPIRG (support if amended)
Center for Humane Technology
Consumer Attorneys of California
Consumer Watchdog

Opposition

California Chamber of Commerce


Advanced Medical Technology Association
American Insurance Association
Association of California Life & Health Companies
Association of National Advertisers
California Association of Licensed Investigators
California Bankers Association
California Business Properties Association
California Cable & Telecommunications Association
California Communications Association
California Community Banking Network
California Grocers Association
California Hospitals Association (oppose unless amended)
California Land Title Association
California Mortgage Bankers Association
California Restaurant Association
California Retailers Association
CompTIA
CTIA
IHS Markit
Internet Association
Media Alliance
National Association of Mutual Insurance Companies
National Retail Federation
Pacific Association of Domestic Insurance Companies
Personal Insurance Federation of California
Pharmaceutical Research and Manufacturers of America
Property Casualty Insurers Association of America
Retail Industry Leaders Association
Securities Industry and Financial Markets Association
TechNet

Analysis Prepared by: Ronak Daylami / P. & C.P. / (916) 319-2200