California lawmakers this week approved sweeping data privacy legislation, similar to the European Union's recently enacted General Data Protection Regulation, designed to give consumers more control over how companies collect and manage their data.
Governor Jerry Brown signed the bill, the California Data Privacy Protection Act, after it crossed his desk Thursday afternoon.
The bill had previously passed through both chambers of the California legislature and is slated to go into effect January 1, 2020, although it's highly likely it will undergo some workshopping before that date.
In its current incarnation the law will mandate a company, upon request, to tell customers what information it has on them. Consumers will also be able to ask companies to delete any data they may have on them and opt out of having that data sold.
The bill would apply to companies with data on more than 50,000 people and intentional violations would carry a $7,500 fine. In both consumer and state lawsuits, companies would be given 30 days to fix the problem.
For breaches, consumers would be able to sue up to $750 for each violation according to section 1798.150 of the bill:
1798.150.
(a) (1) Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:
(A) To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.
(B) Injunctive or declaratory relief.
(C) Any other relief the court deems proper.
The bill, also known as AB375, could have a severe impact on the state's technology companies, especially those which have had a rocky history when it comes to handling users’ data.
Both Facebook and Uber of course have grappled over the past several months with the fallout around two scandals. We learned in April that Cambridge Analytica, a political consulting firm, managed to extract personally identifiable information from 87 million Facebook users. A separate breach exposed the information of 57 million Uber users in 2016. Uber ultimately hid that breach and paid the hackers to delete the stolen data.
Perhaps it shouldn’t come as a surprise that many Silicon Valley companies were not in favor of the bill. The Internet Association, a political lobbying group that represents Facebook, Amazon, Google, Uber, and a slew of other corporations, opposed the bill.
For what it’s worth, in the past lobbying group has said its in favor of a “national standard that preempts state laws, but only if such standard does not create additional liabilities and burdens beyond what most states are currently requiring.”
Trade groups like the California Chamber of Commerce, National Retail Federation and the Association of National Advertisers also opposed the bill, according to Reuters.
The California law is far-reaching but is less expansive than GDPR. The California legislation doesn’t require opt-in permission to collect user information It also doesn't give users any right to opt out short of complete deletion.
Once it goes into effect California's law will likely supersede Florida's Information Protection Act of 2014, a law that's currently thought of as one of the nation's strongest. In Florida if a company compromises the data of over 500 residents it must inform the state within 30 days. Florida entities, per breach, are liable for a civil penalty of $1,000 per day up to 30 days following any violation and $50,000 per 30-day period thereafter up to a maximum total of $500,000.
