California Enacts Controversial Data Privacy Law

California Gov. Jerry Brown yesterday signed a bill creating new data privacy requirements for businesses that handle consumer data in the state. The bill was passed as a compromise measure to avert a more intrusive ballot initiative this fall; while business groups find the legislation only marginally better than the initiative, the process of amending the new law would be easier.

Effective on Jan. 1, 2020, the new law grants consumers a right to request that businesses disclose what personal information it has about individual consumers, what it uses the data for and how it is shared. It also requires businesses to delete that data upon request, among other provisions. Unlike the proposed ballot initiative, which would have granted a private right of action with statutory damages, the law limits enforcement authority to the state’s attorney general. Consumers have a right to sue in response to a data breach, however.

For financial companies subject to the privacy provisions of the Gramm-Leach-Bliley Act, the law provides a narrow exception for consumer data collected, processed, sold or disclosed pursuant to GLBA, if the requirements of the state law are in conflict with GLBA. The California Bankers Association and other business groups will continue urging California lawmakers to amend the law as the compliance date draws closer. The American Bankers Association is closely following the process. For more information, contact ABA’s Sabrina Bergen.