Just one month after the EU’s General Data Protection Regulation (GDPR) became effective, the U.S. — or at least California — is following suit.
It started when a California privacy-rights group drafted and proposed its California Consumer Privacy Act, a ballot initiative that gained more than enough signatures to make it onto voter ballots in November. But that’s only the beginning of the story.
The Data Privacy Ballot Initiative: “Your Life Is Not Their Business”
The privacy act proposed in California’s ballot initiative mirrored certain aspects of the GDPR but offered its own unique spin in other regards. Like the GDPR, it proposed a sweeping definition of “personal information,” gave consumers the right to demand that companies delete their information, and provided harsh penalties for security breaches. However, the California initiative provided an opt-out for the sale of consumers’ personal information, unlike the European requirement that data subjects actively opt in. It also, unlike the GDPR, allowed individuals to sue companies for data breaches without requiring proof of any resulting harm.
Technology companies — many of which are, of course, based in California’s Silicon Valley, where they would be directly affected by the new law — strongly opposed the ballot measure. Companies ranging from Amazon and Google to Twitter and AT&T all threw their financial support behind a countermeasure.
And the brouhaha was enough to force the legislature into action.
California Legislature Creates Its Own Privacy Act
In an effort to prevent voters from weighing in on the ballot initiative in November and adopting the proposed initiative without any modifications, the California legislature scrambled to pass its own privacy bill in just a few days. The sponsor agreed to withdraw the ballot initiative if both houses passed California Assembly Bill 375, establishing the California Consumer Privacy Act of 2018, and the governor signed it into law before the close of ballot measures on June 28. As of Thursday afternoon, that’s exactly what happened.
Like the ballot initiative that spawned it, the bill provides a broad definition of personal information and grants consumers many of the same rights, such as the right to have data deleted and to opt out of the sale of their personal information without penalty. (Companies can, on the other hand, offer “financial incentives” to customers who allow the collection, use, and sale of their information.) Under the new law, however, individual claims are limited, with California’s Attorney General bearing primary responsibility for enforcing violations.
The technology industry, for the most part, deemed the legislation the lesser of two evils. Robert Callahan, speaking for the Internet Association, explained that “The internet industry w[ould] not obstruct or block AB 375 from moving forward, because it prevent[ed] the even worse ballot initiative from becoming law in California.”
Implications for U.S. Ediscovery Practice
Of course, the California Consumer Privacy Act applies only within California, but with so many major technology companies headquartered there, it’s expected to set the course for the nation’s overall approach to data privacy.
Organizations across the U.S. — hopefully well-informed by their experience preparing for the GDPR — should scale up their data-mapping and data-access measures to comply with the law for at least California residents. And information-governance policies should be revisited and revised so that companies can defensibly delete nonessential personal information, limiting their exposure to conflicting demands. There is time to prepare, as the bill does not go into effect until January 2020.
Of course, there will still be situations where litigation necessitates that personal data be preserved for ediscovery despite a customer request for deletion. The conflict between these requirements will play out faster, and closer to home, than anyone expected.
Ready or not, data privacy has landed in the U.S.