On June 28, 2018, Governor Brown signed into law the “California Consumer Privacy Act of 2018.” The legislation was a compromise to avoid a ballot initiative that was more closely modeled after the European Union’s General Data Protection Regulation (GDPR). This Act is scheduled to go into effect on January 1, 2020.
The Act enumerates a number of rights for consumers regarding the privacy of their personal information. Some rights, such as the right to be forgotten or the right to request information disclosure, are reminiscent of those seen in the GDPR, while others, such as the right to opt out of the sale of a consumer’s personal information, are specific to the new law.
Along with identifying consumer rights, the law also imposes requirements on businesses, including those that collect or have collected consumers’ personal information, to make specific disclosures about their personal information practices and to respond to consumer requests. Importantly, the definition of “personal information” is broadly defined to include common information, such as a name or email address, as well as more specific information, such as biometric information and geolocation data, although publicly available information is not included.
Given that the law is not set to be implemented for more than a year, there could very likely be changes. However with this law, California is leading the way for other states to enact similar laws to protect their consumers’ personal information, potentially raising questions about the feasibility of companies meeting differing requirements across state lines.
This law also comes on the heels of the Federal Trade Commission’s announcement of hearings on the harmonization and interpretation of federal and state laws that address unfair and deceptive practices, including privacy. This new law will likely be a topic of those conversations.
For more information about the California law, including a more comprehensive summary of its requirements, see our Client Advisory.