California Consumer Privacy Act of 2018 the First State Law Inspired by GDPR

by | Jul 6, 2018

On June 28, 2018, California passed AB 375, the California Consumer Privacy Act of 2018 (CCPA), which will become effective January 1, 2020. It is thought that this will be the first of many State laws in the United States inspired by European Union’s General Data Protection Regulation (GDPR).

CCPA was formulated to safeguard the privacy of California consumers. Some of the provisions and stipulation are similar to the facets that comprise the GDPR legislation, such as a new and wide-ranging definition of what is included in protected personal information. This new legislation will change the way for companies and for-profits organizations that manage personal private data operate. Personal information under the CCPA incorporates “information that identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.”

Data listed as personal information in the new legislation includes IP Addresses, email addresses, purchasing history and habits, browsing/search history, geolocation data, audio/visual/thermal information, personal and employment information and education information.

For profit companies will be subjected to the new legislation if they meet any of following criteria:

  1. Annual gross revenues over $25,000,000
  2. Annually process the personal information of 50,000 or greater California residents, households, or devices or
  3. At least 50% of their gross revenue is generated from the sale of personal information

CCPA Requirements

The California State law significantly increases consumers’ rights of access to and control over how their personal information is collected. Consumers are now allocated the following right:

  • Right to Personal Information Collected by Businesses – Consumers are given the right (subject to identity verification) to obtain a record of the personal information that a business gathers in relation to them, as well as the details about the sources of, and the business or commercial uses for, that personal information.
  • Right to Erase Personal Information – Consumers can request (subject to identity verification and limited exceptions) a business and its service providers to erase any personal data the business has about the consumer once the information is no longer necessary to keep it.
  • Right of Opt-Out – Consumers are given the right to opt-out of any future sale of their personal information via a “Do Not Sell My Personal Information” link on a business’ official website homepage.
  • Opt-In Requirement for Minors – Businesses are banned from selling the personal information of consumers whom the businesses are not yet 16 years old and for whom they do not have adequate opt-in consent.
  • Prohibits Waiver and Retaliation by Businesses – Waivers of consumer rights and remedies under the remit of the CCPA are unenforceable and businesses cannot discriminate against consumers for exercising their rights in line with CCPA, such as by denying goods or services to the consumer or by charging or suggesting different prices or rates for goods and services.
  • Greater Transparency – Businesses will need to be significantly more transparent about their collection and use of personal data and must provide consumers with notice (in their privacy policies) of their new rights under the CCPA.

The Attorney General of California will penalize companies that do not comply with the CCPA, with the sanction for failing to address alleged violations within 30 days $7,500 per violation.


Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy