On June 28, the Governor of California signed the California Consumer Privacy Act of 2018. The Act becomes effective on January 1, 2020. It includes some of the novel aspects of the EU’s General Data Privacy Regulation (GDPR), such as the right to be forgotten. But it raises the ante.
Under the Act, a business that traffics in data that includes personal information about California residents must, upon request of the resident, disclose:
The resident may at any time direct the business to cease selling information about him or her. Businesses that sell such information must inform the consumers about this right to opt out, including by means of a clear and conspicuous link on the home page of its website labeled “Do Not Sell My Personal Information.” Businesses may not discriminate against consumers who exercise their rights under the Act.
“Personal information” is defined broadly to include any information that is capable of being associated with a consumer, including online identifier, IP address, account name, email address, biometric information, geolocation data and employment-related information. Personal information generally does not include information that is lawfully made available from government records.
The Act does not pertain to businesses that have gross revenues less than $25 million and that neither
The Act is quite detailed, so a careful review of its language is necessary for those who collect or trade in personal information about California residents. As experience with the GDPR has already taught, it is good to plan in advance to achieve compliance when the Act takes effect.