Wednesday, October 10, 2018

Canada's First Nationwide Data Security Breach Notification Requirement Becomes Effective November 1

Image result for canadian maple leaf technology

Canada's first nationwide data security breach notification requirement will become enforceable in a few days.  Here is what you need to know "ah-boot" it:

On June 18, 2015, the Digital Privacy Act received Royal Assent, making it law. The DPA introduced a number of amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal privacy law governing the private sector (the Privacy Act controls privacy in the government). Among the amendments were new provisions related to data security breach reporting, which will become enforceable on November 1st, 2018

 The amendments to the PIPEDA made by the DPA include the following:
  • data breaches that pose a "real risk of significant harm" to individuals will need to be reported to the Office of the Privacy Commissioner, and affected individuals will need to be notified;
  • an organization may also be required to notify other organizations if they are in a position to protect affected individuals from harm (e.g. credit card companies, financial institutions or credit reporting agencies, if their assistance is necessary for contacting individuals or assisting with mitigating harm);
  • records of all data breaches experienced by an organization will need to be maintained (for 24 months) and provided to the Privacy Commissioner upon request;
  • deliberately failing to report a data breach, or deliberately failing to notify an individual as required will be separate offences subject to fines of up to $100,000. In the case of notification to individuals, it will be a separate offence for every individual who is not notified; and
  • deliberately failing to keep, or destroying, data breach records will also be an offence, subject to a fine of up to $100,000.
Some Canadian provinces already had breach reporting notification requirements, such as Alberta's Personal Information Protection Act, which requires notification to the Information Privacy Commissioner of Alberta if there is a "real risk of significant harm" to an individual.

The new Breach of Security Safeguards Regulations published in the Canada Gazette (which sounds infinitely more readable than the Federal Register) on April 18, 2018 will also come into force on November 1, along with the related statutory requirements.     

You can read more about the law here

Data breach notification in the United States is required by certain federal laws that govern specific industries, and every state in the United States now has a data security breach notification requirement.  Alabama and South Dakota were the last states to adopt notification requirements, and both of those statutes became effective earlier this year, as I described back in April.

Monday, August 20, 2018

Becoming an ABA/IAPP Certified Privacy Law Specialist

I have just been certified as a Privacy Law Specialist by the International Association of Privacy Professionals, and by extension the American Bar Association, as part of the inaugural class of this brand new area of specialization.  Because a specialization in privacy law is something that has never before been possible in the United States, I thought I would describe the specialization, the application criteria and process, and how the ABA/IAPP certification interacts with state bar rules.

What is a legal specialization?

Many lawyers limit their practices to certain areas of law, because, frankly, the law has become far too complex for any one person to be competent, let alone proficient, in the entire spectrum of law.   Not every lawyer who focuses his or her practice on one or two areas of law, however, is necessarily proficient.  Recognizing this, virtually all state bars (the regulatory bodies that govern the practice of law) prohibit attorneys from calling themselves "specialists" or "experts" (or similar terms) unless they have been certified as specialists.  Certification is intended to objectively verify the lawyer's mastery of the practice area.  (See, for example, Rule 7.4 of the Rules of Professional Conduct of the North Carolina State Bar.)  According to the North Carolina State Bar:
"Certification of lawyers as specialists by an objective entity and according to objective criteria fulfills the mission of the State Bar to protect the public by providing relevant, truthful, and reliable information to consumers of legal services. Certification helps consumers to identify lawyers who have experience and skill in a certain area of practice. Certification also helps lawyers by encouraging them to improve their expertise in particular areas of practice and providing them with a legitimate way of informing the public and other lawyers of this expertise."
Most state bars create specializations and the associated criteria themselves, but about one-half of all states allow lawyers to hold themselves out as specialists if they are certified by an American Bar Association (ABA) accredited entity.

Why did the ABA and IAPP create this specialization?

After extensive deliberation, the American Bar Association's House of Delegates voted in February 2018 to approve a new certification in privacy law, making it the 15th such accredited specialization.  Although no state bar had yet issued a specialization certificate in privacy law, it had become clear that lawyers were focusing their practices on this rapidly-evolving area of law, which was becoming more and more complex and specialized.  The ABA acknowledged that privacy law has become so specialized that the public would benefit by knowing which attorneys could be deemed proficient according to objective standards.

What are the requirements?

If you want to be considered for Privacy Law Specialist status, you must meet each of the following seven requirements:
  1. Be an attorney admitted in good standing in at least one U.S. jurisdiction; 
  2. Earn a CIPP/US designation; 
  3. Earn either a CIPM or CIPT designation; 
  4. Pass a legal ethics exam administered by the IAPP (similar to a mini-MPRE exam) or submit a very recent MPRE score of at least 80 points;
  5. Provide evidence of “ongoing and substantial” involvement in the practice of privacy law (at least 25% of your full-time practice over the last three years);
  6. Supply evidence of at least 36 hours of continuing education in privacy law for the three-year period preceding the application date; and
  7. Provide five to eight peer references from attorneys, clients or judges who can personally attest to your qualifications.

What is the application process?

First, you need to achieve a passing score on each of three examinations: the CIPP/US exam, either the CIPM or CIPT exam, and the legal ethics exam.  These tests are all administered electronically at testing centers around the world.  You can schedule the exams online at the testing center nearest you, and results are delivered instantly.  The IAPP offers study guides for all of the exams except for the ethics exam.  (However, I created a study manual for the ethics exam, which I am happy to share with you.  Just connect with me on LinkedIn and send me a message!)

Next, you need to compile information about at least 36 hours of continuing education that you have obtained in the past three years relating to privacy or a closely-related area.  If you have not yet taken enough continuing education courses in the area, you need to defer your application and focus on obtaining more continuing education credits. 

You will also need to identify peers who will serve as your references.  I recommend you select lawyers with (or against) whom you have worked, because they have the best, firsthand knowledge of your experience and expertise.  I also suggest you confirm that they are willing to serve as a reference before you submit their names (because...courtesy!) and that you submit at least eight rather than the minimum number of five.  If some of your references get busy and fail to respond to the IAPP, your application could be denied. 

Of course, you will need to pay a fee.  For the $125 application fee, your initial IAPP membership will be included.  You do not have to become an IAPP member, but the annual certification fee is equivalent to the IAPP membership fee, and the membership is included, so it is difficult to imagine why any certificate holder would not also be a member.

Where can I learn more?

That's easy: The IAPP's website has more info.  (Also, the IAPP's staff was pretty cool about answering my questions.)

Can I become a state bar certified specialist in privacy law?

Not quite yet.  No state bar has certified specialists in privacy law, but the North Carolina State Bar has already approved a specialization in privacy and data security law and the first examination will be administered this fall.  This effort (led by yours truly) has been underway since before the ABA considered adopting a privacy law specialization, but the ABA was able to move more quickly because it decided to rely primarily on existing IAPP examinations.  In North Carolina, we are creating a three-hour examination which focuses on North Carolina law, as well as the IAPP's CIPP/US examination.  The first application deadline has already come and gone, and we look forward to certifying our first class of specialists soon!  If you are interested in establishing a privacy and data security specialization in your state, I would be happy to share my experiences with you.

Tuesday, August 14, 2018

What's a Certified Information Privacy Manager?

Not long ago, I became a Certified Information Privacy Manager.  "What is that, and why did you do it," you ask?  
IAPP CIPM logo - green circle with white text "CIPM IAPP"

About three years ago, and after practicing in privacy law for a few years, I became a Certified Information Privacy Professional.   Since then, I left private practice to become in-house counsel.  As an in-house lawyer, one of my challenges is helping my internal clients operationalize the legal advice I provide at the point where "the rubber meets the road."  As a result, I became interested in privacy management--the  practical implementation of privacy law and policies.  I studied the comprehensive guidebook, Privacy Program Management, published by the International Association of Privacy Professionals, and then decided to become a Certified Information Privacy Manager (CIPM).  

This summary of the CIPM is for others who may be interested in pursuing the certification.

Studying Privacy Program Management involves learning about the processes that organizations use to implement privacy, as well as the benefits and detriments of each approach, at a very specific level.  The materials cover, and applicants for the CIPM are given a comprehensive exam that covers, the following areas: 

I. Privacy Program Governance
A. Organization Level
a. Create a company vision
i. Acquire knowledge on privacy approaches
ii. Evaluate the intended objective
iii. Gain executive sponsor approval for this vision
b. Establish a privacy program
i. Define program scope and charter
ii. Identify the source, types, and uses of personal information (PI) within the organization and the applicable laws
iii. Develop a privacy strategy
1. Business alignment
a. Finalize the operational business case for privacy
b. Identify stakeholders
c. Leverage key functions
d. Create a process for interfacing within organization
e. Align organizational culture and privacy/data protection objectives
f. Obtain funding/budget for privacy and the privacy team
2. Develop a data governance strategy for personal information (collection, authorized use, access, destruction)
3. Plan inquiry/complaint handling procedures (customers, regulators, etc.)
c. Structure the privacy team
i. Governance models
1. Centralized
2. Distributed
3. Hybrid
ii. Establish the organizational model, responsibilities and reporting structure appropriate to the size of the organization
1. Large organizations
a. Chief privacy officer
b. Privacy manager
c. Privacy analysts
d. Business line privacy leaders
e. “First responders”
2. Small organizations/sole data protection officer (DPO) including when not only job
iii. Designate a point of contact for privacy issues
iv. Establish/endorse the measurement of professional competency
B. Develop the Privacy Program Framework
a. Develop organizational privacy policies, standards and/or guidelines
b. Define privacy program activities
i. Education and awareness
ii. Monitoring and responding to the regulatory environment
iii. Internal policy compliance
iv. Data inventories, data flows, and classification
v. Risk assessment (Privacy Impact Assessments [PIAs], etc.)
vi. Incident response and process, including jurisdictional regulations
vii. Remediation
viii. Program assurance, including audits
C. Implement the Privacy Policy Framework
a. Communicate the framework to internal and external stakeholders
b. Ensure continuous alignment to applicable laws and regulations to support the development of an organizational privacy program framework
i. Understand applicable national laws and regulations (e.g., GDPR)
                                    ii. Understand applicable local laws and regulations
iii. Understand penalties for noncompliance with laws and regulations
iv. Understand the scope and authority of oversight agencies (e.g., Data Protection Authorities, Privacy Commissioners, Federal Trade Commission, etc.)
v. Understand privacy implications of doing business in or with countries with inadequate, or without, privacy laws
vi. Maintain the ability to manage a global privacy function
vii. Maintain the ability to track multiple jurisdictions for changes in privacy law
viii. Understand international data sharing arrangements agreements
D. Metrics
a. Identify intended audience for metrics
b. Define reporting resources
c. Define privacy metrics for oversight and governance per audience
i. Compliance metrics (examples, will vary by organization)
1. Collection (notice)
2. Responses to data subject inquiries
3. Use
4. Retention
5. Disclosure to third parties
6. Incidents (breaches, complaints, inquiries)
7. Employees trained
8. PIA metrics
9. Privacy risk indicators
10. Percent of company functions represented by governance mechanisms
ii. Trending
iii. Privacy program return on investment (ROI)
iv. Business resiliency metrics
v. Privacy program maturity level
vi. Resource utilization
d. Identify systems/application collection points

II. Privacy Operational Life Cycle
A. Assess Your Organization
a. Document current baseline of your privacy program
i. Education and awareness
ii. Monitoring and responding to the regulatory environment
iii. Internal policy compliance
iv. Data, systems and process assessment
1. Map data inventories, flows and classification
2. Create “record of authority” of systems processing personal information within the organization
3. Map and document data flow in systems and applications
4. Analyze and classify types and uses of data
v. Risk assessment (PIAs, etc.)
vi. Incident response
vii. Remediation
viii. Determine desired state and perform gap analysis against an accepted standard or law
ix. Program assurance, including audits
b. Processors and third-party vendor assessment
i. Evaluate processors and third-party vendors, insourcing and outsourcing privacy risks
1. Privacy and information security policies
2. Access controls
3. Where personal information is being held
4. Who has access to personal information
ii. Understand and leverage the different types of relationships
1. Internal audit
2. Information security
3. Physical security
4. Data protection authority
iii. Risk assessment
1. Type of data being outsourced
2. Location of data
3. Implications of cloud computing strategies
4. Legal compliance
5. Records retention
6. Contractual requirements (incident response, etc.)
7. Establish minimum standards for safeguarding information
iv. Contractual requirements
v. Ongoing monitoring and auditing
c. Physical assessments
i. Identify operational risk
1. Data centers
2. Physical access controls
3. Document destruction
4. Media sanitization (e.g., hard drives, USB/thumb drives, etc.)
5. Device forensics
6. Fax machine security
7. Imaging/copier hard drive security controls
d. Mergers, acquisitions and divestitures
i. Due diligence
ii. Risk assessment
e. Conduct analysis and assessments, as needed or appropriate
i. Privacy Threshold Analysis (PTAs) on systems, applications and processes
ii. Privacy Impact Assessments (PIAs)
1. Define a process for conducting Privacy Impact Assessments
a. Understand the life cycle of a PIA
b. Incorporate PIA into system, process, product life cycles
B. Protect
a. Data life cycle (creation to deletion)
b. Information security practices
i. Access controls for physical and virtual systems
1. Access control on need to know
2. Account management (e.g., provision process)
3. Privilege management
ii. Technical security controls
iii. Implement appropriate administrative safeguards
c. Privacy by Design
i. Integrate privacy throughout the system development life cycle (SDLC)
ii. Establish privacy gates/PIAs-Data Protection Impact Assessments (DPIAs) as part of the standard process, system development framework
C. Sustain
a. Measure
i. Quantify the costs of technical controls
ii. Manage data retention with respect to the organization’s policies
iii. Define the methods for physical and electronic data destruction
iv. Define roles and responsibilities for managing the sharing and disclosure of data for internal and external use
b. Align
i. Integrate privacy requirements and representation into functional areas across the organization
1. Information security
2. IT operations and development
3. Business continuity and disaster recovery planning
4. Mergers, acquisitions and divestitures
5. Human resources
6. Compliance and ethics
7. Audit
8. Marketing/business development
9. Public relations
10. Procurement/sourcing
11. Legal and contracts
12. Security/emergency services
13. Finance
14. Others
c. Audit
i. Align privacy operations to an internal and external compliance audit program
1. Knowledge of audit processes
2. Align to industry standards
ii. Audit compliance with privacy policies and standards
iii. Audit data integrity and quality
iv. Audit information access, modification and disclosure accounting
v. Communicate audit findings with stakeholders
d. Communicate
i. Awareness
1. Create awareness of the organization’s privacy program internally and externally
2. Ensure policy flexibility in order to incorporate legislative/regulatory/market requirements
3. Develop internal and external communication plans to ingrain organizational accountability
4. Identify, catalog and maintain documents requiring updates as privacy requirements change
ii. Targeted employee, management and contractor training
1. Privacy policies
2. Operational privacy practices (e.g., standard operating instructions), such as
a. Data creation/usage/retention/disposal
b. Access control
c. Reporting incidents
d. Key contacts
e. Monitor
i. Environment (e.g., systems, applications) monitoring
ii. Monitor compliance with established privacy policies
iii. Monitor regulatory and legislative changes
iv. Compliance monitoring (e.g. collection, use and retention)
1. Internal audit
2. Self-regulation
3. Retention strategy
4. Exit strategy
D. Respond
a. Information requests
i. Access
ii. Redress
iii. Correction
iv. Managing data integrity
b. Privacy incidents
i. Legal compliance
1. Preventing harm
2. Collection limitations
3. Accountability
4. Monitoring and enforcement
ii. Incident response planning
1. Understand key roles and responsibilities
a. Identify key business stakeholders
1. Information security
2. Legal
3. Audit
4. Human resources
5. Marketing
6. Business development
7. Communications and public relations
8. Other
b. Establish incident oversight teams
2. Develop a privacy incident response plan
3. Identify elements of the privacy incident response plan
4. Integrate privacy incident response into business continuity planning
iii. Incident detection
1. Define what constitutes a privacy incident
2. Identify reporting process
3. Coordinate detection capabilities
a. Organization IT
b. Physical security
c. Human resources
d. Investigation teams
e. Vendors
iv. Incident handling
1. Understand key roles and responsibilities
2. Develop a communications plan to notify executive management
v. Follow incident response process to ensure meeting jurisdictional, global and business requirements
1. Engage privacy team
2. Review the facts
3. Conduct analysis
4. Determine actions (contain, communicate, etc.)
5. Execute
6. Monitor
7. Review and apply lessons learned
vi. Identify incident reduction techniques
vii. Incident metrics—quantify the cost of a privacy incident

The examination lasts two hours, and can be taken at one of the approved testing centers around the world.   Examinees who pass are notified instantly, and certificates are delivered within a matter of weeks.   Once certified, CIPMs must complete a significant amount of continuing privacy education each year in order to maintain the certification, which you can read about here.

If you would like to learn more about the CIPM credential, check out the Resource List, Body of Knowledge, Candidate Handbook, Exam Blueprint, preparation guide.   Good luck!

Thursday, June 28, 2018

California Enacts Sweeping Privacy Law to Avoid Vote on Ballot Proposal in November

Well, they did it.  

California is re-shaping U.S. privacy law again.  At the last possible minute, California lawmakers enacted a statute and persuaded the proponent of a strict privacy ballot initiative to withdraw the proposal.  

Today, the California legislature passed, and the California Governor signed, Assembly Bill 375 (the "Consumer Right to Privacy Act of 2018").  I wrote last week about the proposed bill, which resembles the ballot initiative of the same name, but is more business-friendly in most (but not all) ways than the ballot proposal (which I described here). The proponents of the ballot imitative have revoked their proposal on the final day prior to official qualification for the November ballot. 

image of laptop computer with eye on screen and text "California" Matt Cordell is a great privacy lawyerThe world now has until January 1, 2020 to decide how to play by the new rules in California. 

Rumors are already swirling on social media that the statute could be amended (i.e., weakened) before it becomes effective. (Statutes enacted by the California legislature can be more easily amended than laws approved by voters at the ballot box.) 

You can read my initial thoughts on the bill in my earlier post.  I intend to provide a more detailed analysis soon. 

Saturday, June 23, 2018

California Lawmakers Make Last-Ditch Effort to Preempt Privacy Ballot Proposal

I recently wrote about a ballot initiative in California that, if approved by voters in November, will dramatically change privacy law in California (and very likely the rest of the United States).  Two days ago, a bill was introduced in the California legislature in an attempt to pre-empt the ballot initiative.  (Remember how I keep telling you how quickly things move in privacy law?!?!)

image of laptop with eyeball and written text California [If you have not already, read my summary and analysis of the ballot initiative first.]

California's deadline for collecting signatures for initiatives to be included on the ballot in the fall is June 28 (next week).  The Consumer Right to Privacy Act of 2018 (v.2, No. 17-0039) already has far more signatures than is necessary, and is almost certain to be eligible for inclusion on the ballot when the deadline arrives next week.  Many industries, and specifically the digital advertising industry, are scrambling to address it before it causes massive disruption (and opportunity?) in the digital marketing world.

Two days ago, on June 21, California lawmakers (from each house) introduced AB 375 in the Assembly, titled "The California Consumer Privacy Act of 2018" (which, if you are paying attention, you will notice has the same title as the ballot proposal...probably not by accident).  If this bill is adopted by the legislature and signed by the Governor before the ballot initiative's qualification deadline next week (6/28), the proponent of the ballot initiative has agreed to revoke the ballot proposal from consideration.

As you might imagine, the legislative bill intentionally includes several elements that are present in the ballot initiative, but is more friendly to business (especially digital marketing/advertising) in some ways than the ballot proposal.  Importantly, the bill would be enforced primarily by the California Attorney General, whereas the ballot initiative would  likely leave enforcement primarily to plaintiff's class action lawyers.  Penalties under the bill are limited to $100-750 per violation, and only for failing to protect data from a breach.  The bill also has important exclusions, such as data collected for one-time transactions, de-identified data, etc.  Based on my initial reading, the right of a consumer to opt out in the bill appears to apply only to data sales, not just data sharing for business purposes.  The proposal's prohibition on discriminating against consumers who opt out seems somewhat softened in the bill.

On the other hand, the bill seems to be a bit more rigorous in some ways (surprisingly!).  For example, the bill would require organizations to tell a consumer the "specific pieces" of personal information that have been collected about an individual Californian (not just the "categories" of information).  In addition, the bill includes a data deletion right similar to the EU concept of the "right to be forgotten" (but with several exceptions, some broad).

Friday, May 11, 2018

California May Be Poised To Dramatically Alter Consumer Privacy (Again)

I have previously written (for example, hereherehere, and here) that California law usually dictates U.S. privacy practices because it tends to be the most protective of consumer privacy (or aggressive, depending upon your perspective).  California may once again be poised to dramatically re-shape consumer privacy in the United States.
An aggressive consumer privacy proposal has gained enough signatures to be placed on the California ballot for a referendum in November. If enacted, it would effectively create a new set of standards for consumer privacy throughout the U.S., because most companies would likely adopt the California standards nationwide rather than treating California residents differently from other Americans.  

The Consumer Right to Privacy Act of 2018 (specifically v.2, No. 17-0039, which I'll call the "Proposal") was filed October 12, 2017, and has gained almost twice the number of signatures necessary to be included in the November ballot (which is usually an indication that professional petition firms have been engaged).  The qualification deadline is June 28, and it appears that nothing stands in the way of this Proposal making its way onto the ballot.  The named sponsor of the Proposal is the lobbying/law firm of Remcho, Johnasen & Purcell, LLP out of Oakland California. However, it is said that Alastair A. Mactaggart,  a wealthy San Francisco-based real estate investor and executive, is funding this project. He seems to be a first-time political activist who has not been so heavily involved in ballot initiatives in the past.  
In a Nutshell

The over-simplified-but-concise explanation is that the Proposal:

  • Would give a consumer the right to demand an accounting of all disclosures made by a business of information about the consumer.
  • Would make it illegal to “sell” or "disclose" for a business purpose information about a consumer once a consumer opts out.
  • Would prohibit a business from conditioning any offering or service on a consumer's opt-out decision.
  • Would require very specific disclosures on all business websites.
  • Would be enforced primarily by class action litigation rather than a state entity.  
  • Would not require that any consumer actually suffer any harm (strict liability). 
  • Would result in penalties of $1,000 per person per occurrence, and up to $3,000 if the government concludes the violation was knowing.
  • Would deem a data security breach to be a violation of law by the breached company if the company's security procedures were not reasonable (judged, of course, with the benefit of hindsight).

In More Detail

The Proposal confers on a consumer the right to know what categories of personal information are being collected by a business. 
The Proposal gives a consumer the right, at any time, to direct a business that sells personal information about the consumer not to sell the consumer's personal information (the so-called “Opt-Out”). A business must give consumers a notice of this Opt-Out right and must honor Opt Outs after receiving them (presumably immediately). A consumer can authorize another person to Opt Out on his or her behalf, but the Proposal does not specify what form that authorization should take (e.g., a power of attorney).
A business cannot “discriminate against” a consumer because the consumer requested information or opted out, including by: (a) denying goods or services to the consumer; (b) charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; ( c) providing a different level or quality of goods or services to the consumer; or ( d) suggesting that the consumer will receive a different price or rate for goods or services, or a different level or quality of goods or services, if the consumer exercises the consumer's rights.  (It is worth noting that this provision goes further than even the GDPR)
A business must designate at least two methods for consumers to submit requests for information, including a toll-free telephone number, and if the business maintains a website, a website address.
Requests for information must be honored within 45 days, with no delay allowed for verifying the request. The look-back period is 12 months, and the consumer controls how the report is delivered. Only one demand may be made each 12 months.
Opt-out requests must be honored for at least 12 months, and then it appears that the Proposal would require an affirmative consent from the consumer in order for a business to begin sharing information again. [This provision is somewhat unclear.]
Website (and probably application) privacy policy statements must be revised to include a statement of rights that Californians have under the Proposal and a link to the opt-out mechanism titled.  The link must be “clear and conspicuous” and titled "Do Not Sell My Personal Information." 
There is a training provision in the Proposal that requires “all individuals responsible for handling consumer inquiries about the business's privacy practices or the business's compliance with [the Proposal]” to be aware of how to handle those inquiries.
A business that suffers a security breach involving consumers' personal information may be held liable if the business has failed to implement and maintain "reasonable security procedures and practices."

The Proposal includes a private right of action, and the consumer need not show that he or she suffered a loss of money or property as a result of the violation in order to bring an action. Statutory damages are set at one thousand dollars ($1,000) or actual damages, whichever is greater, for each violation, but a knowing and willful violation can result in damages of three thousand dollars ($3,000), or actual damages, whichever is greater, for each violation. An intentional violation can result in a civil penalty.  Civil penalties of up to $7,500 for each violation are authorized for intentional violations. A civil enforcement action can be brought by the California Attorney General, by any district attorney, any city attorney of a city having a population in excess of 750,000, by any city attorney, or any full-time city prosecutor, in any court of competent jurisdiction.

The devil is in the details, and at least some of the Proposal's terms are defined in ways that could be easily misunderstood:

The categories of personal information covered by the Proposal are:
(1) Identifiers such as a real name, alias, postal address, unique identifier, internet protocol address, electronic mail address, account name, social security number, driver's license number, passport number, or other similar identifiers;
(2) All categories of personal information enumerated in Civil Code 1798.80 et. seq, with specific reference to the category of information that has been collected (any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. “Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.)
(3) All categories of personal information relating to characteristics of protected classifications under California or federal law, with specific reference to the category of information that has been collected, such as race, ethnicity, or gender;
(4) Commercial information, including records of property, products or services provided, obtained, or considered, or other purchasing or consuming histories or tendencies;
(5) Biometric data;
(6) Internet or other electronic network activity information, including browsing history, search history, and information regarding a consumer's interaction with a website, application, or advertisement;
(7) Geolocation data;
(8) Audio, electronic, visual, thermal, olfactory, or similar information;
(9) Psychometric information;
(10) Professional or employment-related information;
(11) Inferences drawn from. any of the information identified above; and
(12) Any information pertaining to minor children of a consumer.
"Personal information" does not include information that is publicly available or that is de-identified.
The terms "sell," "selling," "sale," or "sold," includes sharing orally, in writing, or by electronic or other means, a consumer's personal information with a third party, whether for valuable consideration or for no consideration, for the third party's commercial purposes.
"Third party" means any person who is not (i) the “business” that collects personal information from consumers or (ii) to whom the business discloses a consumer's personal information for a business purpose pursuant to a written contract, provided that the contract tightly restricts further resale, use or retention beyond the scope of the business purpose and includes a “certification” that the recipient understands the restrictions. 
The term "business" means any organization that is for-profit, has annual revenue of at least $50MM, or 100,000 or more consumers annually, or derives at least half of its revenue from selling consumer information. A business includes entities controlled by another (including by 50% or more voting equity), or businesses that share a common brand or trademark.


Opponents are already pointing out some downsides to the Proposal:  For example, there’s no safety exception. Some businesses might not be able to send recall notices to consumers who have opted out. A car dealer might not be able to share consumer information with a car manufacturer for purposes of compiling recall notice lists.
There is also a fear that without a requirement to demonstrate any actual harm, frivolous litigation will run amok and drive up insurance costs and other costs of doing business.
There is also the argument that California should not be attempting to regulate the “world wide web.”  Some fear that businesses will begin to exclude California customers or will cease services in order to avoid the burdens of the Proposal.   
More Information

You can read the proposal in its entirety here and judge for yourself.

I intend to follow this Proposal closely, and will likely post more about developments here and on LinkedIn and Twitter