California Adopts New Data Privacy Law

In late June, the California legislature adopted, and Governor Jerry Brown later signed into law, the California Consumer Privacy Act of 2018.  See website.  The new law was adopted shortly after the effectiveness of the EU’s General Data Protection Regulation (the “GDPR”), and in the wake of public outcry over data protection violations.  While it does not go as far as the GDPR, it represents the strongest law of its type in the United States, and will apply not just to California businesses over certain thresholds but to all businesses that do business in California, including internet businesses that deal with California customers. To be covered, profit-making businesses must: (i) have over $25 million in annual gross revenue; (ii) collect the personal data of over 50,000 California residents or (regardless of whether California or not) households and “devices”; or (iii) derive more than half their revenue from the sale of California personal data. Rights will now include: the right to disclosure of what is collected; the right to deletion of personal data; the right to know why the data is collected and with whom it is shared; the right to opt out from any sale and that the website and/or other material clearly provide for such an opt out; and the right to non-discrimination for making use of the rights.  Covered businesses must provide a mechanism for pursuing these rights.  The law goes into effect on January 1, 2020, but it was rushed through and many commentators predict that it will be amended to make it clearer and to deal with some issues before it does go into effect.