In early May, a group called Californians for Consumer Privacy gathered enough signatures for the Consumer Right to Privacy Act (CRPA) to qualify for the November 2018 ballot.
The ballot initiative builds on existing California laws directed at protecting the privacy of California consumers’ personal information, including the Shine the Light law (Civil Code §1798.83) and the California Online Privacy Protection Act (CalOPPA, Business & Professions Code §§22575-22579).
In contrast with the broad application of CalOPPA and Shine the Light law to companies doing business with California residents, CRPA more narrowly applies to companies doing business in the State of California that meet a certain revenue threshold or to companies primarily in the business of selling personal information. Under the CRPA, a business is defined as having a gross revenue in excess of $50 million, or that annually sells the personal information of 100,000 or more consumers or devices, or that derives 50% or more of its annual revenue from selling consumer’s personal information. Parent and subsidiary companies of such businesses that share common branding also fall under the CRPA’s definition of business.
While the CRPA’s primary definition of personal information leverages similar language for the term used in other privacy laws (and incorporates the categories of personal information set forth in the Shine the Light Law), it explicitly enumerates categories of information, notably: 1) unique identifiers (including probabilistic identifiers); 2) IP addresses; 3) commercial information, such as purchasing and consuming history and tendencies; 4) internet activity, including browsing history, search history and information regarding a consumer’s interactions with a website, application or advertisement; 5) psychometric data; and 6) inferences drawn from any of the enumerated categories. Personal information does not include publicly available information or information that has been de-identified.
The CRPA provides for broad enforcement powers. Importantly, a violation of the CRPA constitutes an injury in fact, and a consumer need not show money or property damages resulting from a violation in order to bring the action. Consumers can bring an action for statutory damages in the amount of $1,000 for each violation and up to $3,000 per violation for each knowing and willful violation. The CRPA also provides for enforcement by the California Attorney General. Pursuant to such enforcement, businesses could be liable for up to $2,500 per violation, and in the case of intentional violations, up to $7,500 per violation. Finally, the CRPA also provides a framework for whistleblower enforcement.
It may be too early to tell whether a majority of Californians will support and pass this ballot initiative in November. But with recent publicity of significant data breaches and mishandling of personal information, as well as a spotlight on European Union’s General Data Protection Regulation, companies that do business in the State of California and that fall under the CRPA’s definition of business should be prepared for the potential passage of the CRPA by understanding its requirements.