February 6, 2019/in blog/by Bill Vann
A consumer, defined as a “natural person who is a California resident.” This is further defined as:
An individual is in the state for any purpose that is not transitory or temporary
Any individual who lives in the state but currently or occasionally is outside the state for a temporary or transitory purpose
Meaning consumers traveling to or with partial residence in other states would be protected, as long as their home is California. This also means that the law applies to “business-to-consumer” (B2C) companies and to “business-to-business” (B2B).
A covered “business” is defined as a for-profit entity that meets 1 of the 3 following conditions.
CaCPA states that they must also meet the following 4 conditions.
Any “for profit business” passing this test will be subject to the law, regardless of its geographic location. According to iapp it is estimated the law will apply to more than 500,000 U.S. companies, most of which are small- to medium-sized. It will also impact businesses outside the U.S., as long as they do any of their business in California.
For intentional violations not addressed within 30 days, the fine is from $2,500 to $7,500 per violation (e.g., per record in the database). Unintentional violations not addressed within 30 days, Consumers are able to recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.
Twenty percent of the penalties collected by the State will be allocated to a new “Consumer Privacy Fund”. Any funds in excess of Court and collection costs may be placed in the CA State General Fund.
The CaCPA was rushed through Legislation in just 7 days’ time and was signed just hours before the closing of the 2017-18 California legislative session. Speedy for a Law with such widespread ramifications.
This rush was in response to a much stricter ballot initiative proposed by San Francisco real estate developer Alistair Mactaggart. Mactaggart spent $3.5 million of his own money to fund initiative measure No. 17-0039 which received more than 629,000 signatures, more than enough needed to put the issue on the November 2018 ballot.
CaCPA’s definition of personal information is much more extensive than the definition of PII, it does align more closely with the broader list in the GDPR. It’s defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” In addition to the information typically included under PII, it also includes:
Just days before Mactaggart could certify the signatures, California Democrats agreed to push a compromise bill in exchange for dropping the initiative. The tech industry lobbyists believe that they will have a much better chance of controlling the narrative and the ultimate impact of the CaCPA by participating fully. Industry Lobbyists agreed not to oppose the bill since the much less favorable ballot initiative had a good shot of passing later in the year.
18 months’ time to lobby on how to rewrite the details of the bill.
CA legislature can modify the CaCPA with a simple majority instead of a 70% supermajority required by the initiative measure No. 17-0039.
CaCPA makes it more difficult for consumers to use noncompliant businesses, giving most of the enforcement control to the CA state Attorney General.
CaCPA affects more companies, as it lowered the threshold by half to businesses with only $25 million annual revenue.
“Data regulation policy are complex and impacts every sector of the economy, including the internet industry,” the Internet Association lobbying group said. “That makes the lack of public discussion and process surrounding this far-reaching bill even more concerning. It is critical going forward that policymakers work to correct the inevitable, negative policy and compliance ramifications this last-minute deal will create for California’s consumers and businesses alike.”
The winners and losers of this bit of legislation (10,660 words), have yet to be determined, due to the massive rewriting of the details going on right now. It is very likely that the new and improved CaCPA will apply mainly to the Small to Medium Business, the ones that can’t afford the high priced Lobbyists and their huge expenses. This bill hastily written and barely reviewed by anyone other than its writers with its many typo’s and poorly written text was approved by Governor Brown on June 28th 2018. On Aug. 24th just 57 days later the first 45 amendments came. These amendments were primarily to adjust technical errors. Buckle up Butter-Cup.
Sources: Assembly Bill No. 375, iapp The Privacy Advisor, New York Times, FairWarning