On June 28, California passed a sweeping data privacy law after only one week of work. Unless AB 375 (the California Consumer Privacy Act of 2018) is amended before its January 1, 2020, effective date, the law will be the strictest data privacy law in the United States, and will require data privacy protections and requirements similar to or broader than those imposed by the European Union General Data Protection Regulation that became effective on May 25, 2018.

The California legislature acted quickly to avoid a citizens’ initiative sponsored by Californians for Data Privacy from appearing on the November ballot. With the passage of AB 375, the initiative sponsors agreed to withdraw the initiative from the ballot.

By passing the bill (and avoiding the possible passage of the citizens’ initiative), the legislature bought time to review and amend the law before its 2020 effective date. If the initiative had passed, amendments would have required either a 70 percent super-majority in each house of the legislature, or approval by two-thirds of voters.

The law applies to for-profit businesses that do business in California and either:

• Have annual gross revenue of $25 million or more;
• Collects, sells or shares for commercial purposes the personal information of at least 50,000 consumers, households or devices; or
• Derives at least 50% of its annual revenues from selling consumers’ personal information.

The law also applies to affiliated, co-branded entities of businesses that meet the above criteria, even if the affiliate doesn’t do business in California.

As written, the California Consumer Privacy Act of 2018 requires the following:

1. Transparency of Data Collection and Processing

In a manner similar to the European Union General Data Protection Regulation, businesses that collect or sell the personal data of California residents will have to provide information to the individuals (Read more...)