AB 375 (Chau, Hertzberg), the California Consumer Privacy Act, was passed in late June to avoid a big ballot fight in November over the flawed “privacy initiative.” However, due to a hard deadline to withdraw the ballot initiative, there was little time for meaningful policy negotiation about a law that has a huge impact on many, many businesses.
Lots of folks think this new law only applies to the tech industry. That is not the case. If 50,000 people visit your website in a year, your business has to comply with this new law. If you go through 50,000 sales leads in a year, this bill applies to your business. It’s much broader than people realize.
Anyway, CalChamber had serious concerns with AB 375, particularly with the private right of action. But the “privacy initiative” was even worse and, if it passed, would be almost impossible to amend in the future. So, although we opposed the bill, we encouraged members to vote for it to avoid the alternative.
The authors of AB 375 agreed that the bill would need fixes. They designated SB 1121 (Dodd) as the vehicle for immediate clean-up of AB 375, and committed to work on bigger problems with the bill during the 2019 session.
The business community spent the July recess poring over AB 375 with privacy experts from around the country. We put together a detailed letter addressed to Senator Dodd proposing language for SB 1121 to fix aspects of AB 375 just won’t work and that will result in unintended consequences.
Senator Dodd, Assembly member Chau, and Senator Hertzberg have indicated they may not be able to address the bulk of our concerns in the last weeks of session. Thus, our most important ask is that the compliance date be delayed to reflect the reality that there will be legislative fixes to this bill not likely completed until September 2019, which will not give businesses nearly enough time to comply with this complex law by January 1, 2020, the current compliance date.
Additionally, the Attorney General must undergo a robust rulemaking process directed by AB 375, and it does not make sense for the AG to finalize that process when so many problems with the bill still need to be fixed. It is going to be very expensive for businesses to create systems to comply with AB 375 – they shouldn’t have to do it twice. So we are requesting that compliance not be required until 12 months after the completion of the AG’s rulemaking process, and that AG rulemaking not be finalized until after next year’s session.
Another one of our key requests is to amend the definition of “consumer.” Currently, consumer is defined as any California resident. Without clarification, this could be interpreted to include employees. Why is this a problem? Well, AB 375 allows “consumers” to request that a business delete their data. If the definition is not changed to exclude employees, an employee accused of sexual harassment could request that complaints about them be deleted. Also, if employees are not excluded from the definition of “consumer,” businesses will need to create separate compliance systems for consumer information and employee information – adding more costs for something that was not even supposed to be part of this “consumer data” bill.
Some of our other concerns raised in the letter include ensuring that loyalty and rewards programs may continue, that clinical trials of lifesaving drugs will not be interrupted, and that there is a robust fraud exemption to protect consumers.
Our calendars are jam packed with meetings in this final, end-of-session crunch to educate legislators about the problems with AB 375 that need to be addressed in SB 1121 and beyond. So far, our concerns have been well taken. Soon, we will find out what issues will be addressed now and what issues will have to wait until next year. Stay tuned…!