Norton Rose Fulbright - Data Protection Report blog

A little more than one month from implementation of GDPR, companies may be tempted to relax and exhale (and if GDPR is still causing you headaches, consult our checklist). After all, the U.S. couldn’t be crazy enough to implement something as onerous and difficult, right? RIGHT?!?

Enter California, which appears likely to place an initiative on the November 2018 ballot that could bring some familiar aspects of GDPR to the sixth largest economy in the world. The proposed initiative, the Consumer Right to Privacy Act of 2018 (the “CRPA”), still needs to obtain the necessary signatures to appear on the ballot and then be passed by a majority of California voters. However, given the high profile data misuse and breach stories in the news over the past several months, the possible passage of the initiative must be taken seriously.

The CRPA would be grafted on to existing California privacy laws, including the Shine the Light law and the Customer Records Act. Among other things, these laws require businesses to accommodate consumer requests seeking to learn whether personal information has been disclosed within the past year for direct marketing purposes, allows consumers to opt out of such disclosures, and mandates consumer notification for any data breach that may compromise a consumer’s personal information. The CRPA would expand the reach of these laws in several important ways.

The measure would expand the definition of personal information to include categories such as biometric data, commercial activity, internet browsing activity, geolocation data, IP address information, and any inferences drawn about consumers from this data. The CRPA would require businesses to notify consumers upon request if they collect or share personal information, even if for non-direct marketing purposes, including the categories of information collected or shared. It would allow consumers to opt out from the sale or sharing of their information, and require the business to post on any website homepage an opt out link with the text “Do Not Sell My Personal Information.” It would also prohibit businesses from charging or treating differently any consumers who request information or choose to opt out.

The CRPA would further impose liability on businesses that have suffered a data breach. The standard for liability is whether the business has “failed to implement and maintain reasonable security procedures and practices, appropriate to the nature of the information, to protect the personal information from unauthorized disclosure.” In other words, application of the standard may be a question of fact for a jury.

Under the measure, consumers who have suffered a violation, including having their information sold despite opting out or having their data taken in a data breach, would be able to bring a civil action against the business for statutory damages, even if they have not suffered any harm as a result of the violation or breach. For any proven violation of the CRPA, civil litigants “shall” recover statutory damages of $1,000 per violation, even if they have not suffered any actual damages. And if the consumers can show that a violation was knowing or willful, which under certain circumstances might again constitute a question of fact for a jury, the statutory damages could increase to as much as $3,000 per violation even if no actual injury has occurred.

Moreover, businesses who violate the CRPA could be subject to a civil action brought by the California Attorney General or local prosecutors, assigning civil penalties of up to $7,500 per intentional violation. Private attorneys would be able to request that the Attorney General file a civil action, and if the Attorney General declines to do so, the private attorneys would be allowed to file suit in place of the government and recover 25 to 50% of any ultimate award.

In short, if the CRPA appears on the ballot and passes, it will be déjà vu all over again for in-house attorneys and information officers of businesses that do business in California. While the measure is not identical to GDPR, its definition of personal information and the restrictions on the use of that information will likely create similar headaches.