California Consumer Privacy Act of 2018 the First State Law Inspired by GDPR

On June 28, 2018, California passed AB 375, the California Consumer Privacy Act of 2018 (CCPA), which will become effective January 1, 2020. It is thought that this will be the first of many State laws in the United States inspired by European Union’s General Data Protection Regulation (GDPR).

CCPA was formulated to safeguard the privacy of California consumers. Some of the provisions and stipulation are similar to the facets that comprise the GDPR legislation, such as a new and wide-ranging definition of what is included in protected personal information. This new legislation will change the way for companies and for-profits organizations that manage personal private data operate. Personal information under the CCPA incorporates “information that identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.”

Data listed as personal information in the new legislation includes IP Addresses, email addresses, purchasing history and habits, browsing/search history, geolocation data, audio/visual/thermal information, personal and employment information and education information.

For profit companies will be subjected to the new legislation if they meet any of following criteria:

  1. Annual gross revenues over $25,000,000
  2. Annually process the personal information of 50,000 or greater California residents, households, or devices or
  3. At least 50% of their gross revenue is generated from the sale of personal information

CCPA Requirements

The California State law significantly increases consumers’ rights of access to and control over how their personal information is collected. Consumers are now allocated the following right:

  • Right to Personal Information Collected by Businesses – Consumers are given the right (subject to identity verification) to obtain a record of the personal information that a business gathers in relation to them, as well as the details about the sources of, and the business or commercial uses for, that personal information.
  • Right to Erase Personal Information – Consumers can request (subject to identity verification and limited exceptions) a business and its service providers to erase any personal data the business has about the consumer once the information is no longer necessary to keep it.
  • Right of Opt-Out – Consumers are given the right to opt-out of any future sale of their personal information via a “Do Not Sell My Personal Information” link on a business’ official website homepage.
  • Opt-In Requirement for Minors – Businesses are banned from selling the personal information of consumers whom the businesses are not yet 16 years old and for whom they do not have adequate opt-in consent.
  • Prohibits Waiver and Retaliation by Businesses – Waivers of consumer rights and remedies under the remit of the CCPA are unenforceable and businesses cannot discriminate against consumers for exercising their rights in line with CCPA, such as by denying goods or services to the consumer or by charging or suggesting different prices or rates for goods and services.
  • Greater Transparency – Businesses will need to be significantly more transparent about their collection and use of personal data and must provide consumers with notice (in their privacy policies) of their new rights under the CCPA.

The Attorney General of California will penalize companies that do not comply with the CCPA, with the sanction for failing to address alleged violations within 30 days $7,500 per violation.