Governor Brown Signs California Consumer Privacy Act of 2018 into Law in Response to Recent Data Breaches

Written By ESR News Blog Editor Thomas Ahearn

On June 28, 2018, Governor Jerry Brown signed into law a comprehensive internet privacy and data breach protection bill called the California Consumer Privacy Act of 2018 (Assembly Bill 375), according to a press release on the website of Senator Bill Dodd (D-Napa), one of the authors of the landmark bill.

Introduced by Senator Dodd, Senator Bob Hertzberg (D-Van Nuys), and Assemblymember Ed Chau (D-Monterey Park), AB 375 – which takes effect on January 1, 2020 – is a response to the recent data breaches affecting millions of consumers experienced by Target, Equifax, Cambridge Analytica, and others.

“Once again California is taking the lead in protecting consumers and holding bad actors accountable,” Senator Dodd stated in the press release. “My hope is other states will follow, ensuring privacy and safeguarding personal information in a way the federal government has so far been unwilling to do.”

AB 375 expands the rights of consumers to know what data is being collected about them online and to even delete it. The law will also empower consumers to decline the sale of their information and to report violations, which must be addressed by the violator or risk civil action. Specifically, AB 375 will:

  • Grant a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared.
  • Require a business to make disclosures about the information and the purposes for which it is used.
  • Grant a consumer the right to request deletion of personal information.
  • Require the business to delete upon receipt of a verified request, as specified.
  • Grant a consumer a right to request that a business that sells the consumer’s personal information, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of 3rd parties to which the information was sold or disclosed.
  • Require a business to provide this information in response to a verifiable consumer request.
  • Authorize a consumer to opt out of the sale of personal information by a business and would prohibit the business from discriminating against the consumer for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data.
  • Authorize businesses to offer financial incentives for collection of personal information.
  • Prohibit a business from selling the personal information of a consumer under 16 years of age, unless affirmatively authorized, as specified, to be referred to as the right to opt in.
  • Prescribe requirements for receiving, processing, and satisfying these requests from consumers.
  • Prescribe various definitions for its purposes and would define “personal information” with reference to a broad list of characteristics and behaviors, personal and commercial, as well as inferences drawn from this information.
  • Prohibit the provisions described above from restricting the ability of the business to comply with federal, state, or local laws, among other things.

The California Consumer Privacy Act of 2018 also provides for its enforcement by the Attorney General, provides a private right of action for unauthorized access and theft or disclosure of nonencrypted or nonredacted personal information of consumers, and prescribes distribution of proceeds from the law.

In 1972, California voters amended the California Constitution to include the right of privacy among the “inalienable” rights of all people and established a legal and enforceable right of privacy for every Californian. Fundamental to this right of privacy is the ability of individuals to control the use of their personal data.

Since then, the California Legislature adopted specific mechanisms to safeguard the privacy of Californians including the Online Privacy Protection Act, the Privacy Rights for California Minors in the Digital World Act, and Shine the Light. It is the intention of AB 375 to further the right to privacy for Californians by ensuring:

  • The right of Californians to know what personal information is being collected about them.
  • The right of Californians to know whether their personal information is sold or disclosed and to whom.
  • The right of Californians to say no to the sale of personal information.
  • The right of Californians to access their personal information.
  • The right of Californians to equal service and price, even if they exercise their privacy rights.

The trend of background screening firms needing to ensure privacy and information security in the wake of so many well-publicized data breaches was selected by San Francisco, California area background check firm Employment Screening Resources (ESR) as one of the “ESR Top Ten Background Check Trends” for 2018.

Data breaches are big news. In May 2017, California Attorney General Xavier Becerra announced an $18.5 million settlement with Target for failing to provide reasonable data security after more than 40 million customers had payment card information compromised in a data breach during the 2013 holiday season.

In September 2017, Equifax – one of three nationwide credit reporting agencies along with Experian and TransUnion – announced that a massive data breach incident had impacted approximately 143 million Americans, or almost half the population of the country, a number that grew to 145.5 million people.

In March 2018, the Federal Trade Commission (FTC) – the primary federal data security enforcement agency – opened an investigation into the privacy practices of Facebook after a data breach allowed data analytics firm Cambridge Analytica to access the personal information of 50 million Facebook users.

ESR realizes data breach protection is a mission-critical issue in the Information Age and undergoes annual SOC (Service Organization Control) 2 audits to ensure the company meets high standards of the American Institute of Certified Public Accountants (AICPA) to protect the privacy of consumer data used for background checks.

ESR is also accredited by the National Association of Professional Background Screeners (NAPBS) for proving compliance with the Background Screening Agency Accreditation Program (BSAAP), a widely recognized seal of approval for background screening firms that are committed to maintaining high standards of excellence.

The California Consumer Privacy Act has similar characteristics to the General Data Protection Regulation (GDPR), the primary law regulating how companies protect the privacy of European Union (EU) citizens which carries penalties of up to four percent of annual global turnover or €20 million Euros ($23+ million Dollars).

ESR helps U.S. employers performing international background checks in the EU to comply with the GDPR – the enforcement of which began on May 25, 2018 – by incorporating fully compliant GDPR policies, procedures, and technologies to augment the award-winning ESR Assured Compliance® system with required GDPR tools.

ESR won the 2018 TekTonic Award from HRO Today Magazine that recognizes innovation and disruption in HR and recruiting technology for the ESR Assured Compliance® system that revolutionizes background screening and enables employers to mitigate risk while maintaining compliance with a myriad of screening laws.

ESR was also among the first background screening firms to adopt the Privacy Shield Framework designed to replace the Safe Harbor agreement invalidated in 2015. ESR achieved its EU-U.S. Privacy Shield Framework certification on August 12, 2016, and its Swiss-U.S. Privacy Shield Framework certification on March 5, 2018.

ESR Protects the Privacy of Data Used for Background Screening

Employment Screening Resources (ESR) – a global background check firm – is accredited by the NAPBS, undergoes annual SOC 2 audits, and adheres to the EU-U.S. and Swiss-U.S. Privacy Shield Framework to protect the privacy of consumer data used for background screening. To learn more, visit www.esrcheck.com.

NOTE: Employment Screening Resources® (ESR) does not provide or offer legal services or legal advice of any kind or nature. Any information on this website is for educational purposes only.

© 2018 Employment Screening Resources® (ESR) – Making copies or using of any part of the ESR News Blog or ESR website for any purpose other than your own personal use is prohibited unless written authorization is first obtained from ESR.