California Dramatically Expands Consumer Privacy Rights For the Entire Country

California recently passed the California Consumer Privacy Act of 2018, described by Former Gov. Jerry Brown as a “historic step” for California consumers, “giving them control over their personal data.”  He claimed that the law “forges a path forward to lead the nation once again on privacy and consumer protection issues.”

This is not just political puffery.  The Consumer Privacy Act has broad-ranging implications for the rest of the country, not just California.  It applies to a wide range of “personal information,” including personal identifiers, location, biometric data, internet browsing history, psychometric data, and inferences companies might make about the consumer.  Crucially, it applies for every California resident, which means that every internet company doing business in California will be required to comply with the new rules.

That means that companies doing business in California will either be required to update their data privacy rules to comply across the board, or establish a piecemeal solution customized by state, which would be prohibitively expensive in most instances.  After the European Union instituted the General Data Protection Regulation (“GDPR”) in 2018, many Americans saw GDPR notices even though they were out of the required jurisdictional zone, as many companies found it more efficient to simply apply the same data protection requirements system-wide.  Further, since so many internet companies are headquartered in Silicon Valley, they may be forced to undertake sweeping changes to comply with the new rules.

It also contains serious new protections for consumers.  Any company that generates revenue from targeted advertising over the internet – for example, Facebook, Instagram, or Google – must allow California residents to delete their data or bring it with them to alternative service providers.  This could also apply to internet service providers – for example, AT&T or Verizon – which sometimes collect web browsing data and sell the data for advertising purposes.  Some companies – for example, Experian or Oracle – rely entirely on data collection and its sale to third parties.  Their entire business model may now be outdated.

Further, it provides a private right of action for consumers to sue companies who wrongfully collected data, failed to delete data, or was negligent in protecting data.  Every company has a requirement to use “reasonable security policies and procedures,” and consumers can sue to enforce these obligations.  This will surely result in a slew of consumer class actions aimed at faulty data policies.

The overall effect of this law is to cut off a serious source of profits for internet companies who provide “free” services, financed through the sale of consumer data.  California consumers (who make up 12 percent of the U.S. population) will now have unprecedented control over their personal information and its use, and the right to sue to enforce compliance.  However, internet companies may find themselves spending a significant amount of time and energy to bring themselves into compliance by the 2020 deadline.