Sunstein Insights Shape Created with Sketch.

Back to All Publications

So You Thought the GDPR Was Fun? Wait Till you See What California Has In Store

Thomas C. Carey

Thomas C. Carey | Partner, Business Chair View more articles

Thomas is a member of our Business Practice Group

On June 28, the Governor of California signed the California Consumer Privacy Act of 2018. The Act becomes effective on January 1, 2020. It includes some of the novel aspects of the EU’s General Data Privacy Regulation (GDPR), such as the right to be forgotten. But it raises the ante.

Under the Act, a business that traffics in data that includes personal information about California residents must, upon request of the resident, disclose:

  • The categories of personal information that it has collected
  • The categories of sources from which the personal information is collected
  • The business purpose for collecting the information
  • The categories of third parties with which it shares the information
  • The specific information about the resident that it has collected

The resident may at any time direct the business to cease selling information about him or her. Businesses that sell such information must inform the consumers about this right to opt out, including by means of a clear and conspicuous link on the home page of its website labeled “Do Not Sell My Personal Information.” Businesses may not discriminate against consumers who exercise their rights under the Act.

“Personal information” is defined broadly to include any information that is capable of being associated with a consumer, including online identifier, IP address, account name, email address, biometric information, geolocation data and employment-related information. Personal information generally does not include information that is lawfully made available from government records.

The Act does not pertain to businesses that have gross revenues less than $25 million and that neither

  • Sell nor share personal information about 50,000 or more consumers or internet-connected devices; nor
  • Derive 50% or more of its annual revenue from selling consumer’s personal information.

The Act is quite detailed, so a careful review of its language is necessary for those who collect or trade in personal information about California residents. As experience with the GDPR has already taught, it is good to plan in advance to achieve compliance when the Act takes effect.

We use cookies to improve your site experience, distinguish you from other users and support the marketing of our services. These cookies may store your personal information. By continuing to use our website, you agree to the storing of cookies on your device. For more information, please visit our Privacy Notice.

Subscribe to our Newsletters

Subscribe to: