California Passes Sweeping New Privacy Law Aimed at Protecting Consumers’ Personal Information

On June 28, 2018, the California governor signed AB 375, the California Consumer Privacy Act of 2018 (“the CCPA” or “Act”), intended to protect the private data of consumers and effectively pushing down some of the toughest consumer privacy protections in the country. The CCPA contains sweeping new consumer privacy requirements and has significant implications for entities doing business in California. Although the new requirements do not go into effect until January 1, 2020, businesses should begin to prepare now to ensure that they will be in compliance with the new state law.

The Act is being referred to as “California’s GDPR,” in reference to the European Union’s General Data Protection Regulation which went into effect in May of 2018. The Act affords consumers greater control over their personal information and places additional responsibilities on a business with respect to the collection, use, maintenance and sale of consumers’ personal information. For instance, it provides consumers with greater transparency and access to their personal information, deletion rights, disclosures, and opt-out rights. It also affords consumers the right to sue and can lead to fines levied against a business. Given the fact that California’s CCPA imposes new requirements which will impact the operations of a business, it is imperative to assess the possible effect of these new requirements on your business and prepare an implementation plan.

In order for a business to comply with requirements of the Act they must make available to consumers two or more designated methods for submitting requests for information required, including a toll-free telephone number and a web site address. Additional key aspects of the CCPA include:

  •  Applicability: The CCPA will apply to for-profit entities that do business in California and meet the following criteria:

    • Have annual gross revenues over $25 million;
    • Alone or in combination annually buys, receives, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or
    • Derives 50% or more of its annual revenues from selling consumers’ personal information.
  • Personal Information: The new law broadly defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The Act excludes publicly available information including information that is lawfully made available from federal, state, or local government records. This definition of personal information is broader than state breach notification laws defining personally identifiable information and should be considered to essentially cover any type of information that identifies a consumer.
  • Disclosures: Under the CCPA, consumers have the right to seek disclosure of any of their personal information a business has collected. Specifically, a business must disclose the:

    • Categories of personal information the business has collected about the consumer;
    • Categories of sources from which the personal information is collected;
    • Business or commercial purposes for collecting or selling personal information; and
    • Categories of third parties with whom the business shares the personal information.


The Act requires a business to provide this information in response to a verifiable consumer request up to twice a year. The disclosures must be made within 45 days of receipt of the request and cover the 12-month period preceding the business’s receipt of the verifiable request.  

  • Right to Request Deletion of Personal Information: The new law gives a consumer the right to request deletion of personal information and requires the business to delete such information when the business receives a verified request. However, a business does not have to honor this request if it is necessary to retain the information due to any of the enumerated exemptions contained in the CCPA.

  • Opt-Out and Discrimination: The Act authorizes a consumer to opt-out of the sale of personal information by a business and prohibits the business from discriminating against the consumer for exercising this right, among other rights, including by denying goods or services, charging the consumer who opts out a different price, or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data. The opt-out section of the Act requires that consumers be provided a “clear and conspicuous link on the business’ Internet homepage, titled ‘Do Not Sell My Personal Information,’” to opt-out of the sale of their personal information. This can be linked through a business’s online privacy policy. California already has baseline requirements for online privacy policies found in the California Online Privacy Protection Act (CalOPPA), and now is a good time for entities doing business in California to review compliance with both the Act and CalOPPA.
  • Federal Law Carve Outs: Generally speaking, the CCPA does not apply to personal information protected by the Health Insurance Portability and Accountability Act, the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act, and the Driver’s Privacy Protection Act. Significantly, these exceptions relate to the information covered pursuant to those statutes, not the entities themselves. Therefore, the Act does not apply to the sale of personal information to or from a consumer reporting agency if that information is part of a consumer report under the FCRA.
  • Protections for Minors: The new law prohibits a business from selling the personal information of a consumer under 16 years of age unless the sale is affirmatively authorized (i.e., through an opt-in). Consumers between ages 13-16 can opt-in for themselves, and a business must obtain a parent or guardian’s affirmative authorization for consumers under the age of 13.
  • Enforcement and Private Right of Action: The CCPA will be enforced by the California Attorney General and provides a private right of action in connection with certain unauthorized access and exfiltration, theft, or disclosure of a consumer’s non-encrypted or non-redacted personal information. Under the Act, a consumer is entitled to recover actual damages or statutory damages of between $100 and $750 per consumer per incident (whichever is greater). In addition, injunctive or declaratory or other relief is made available. Before bringing any action against a business for statutory damages, a consumer must provide a business with written notice within 30 days identifying the consumer’s specific allegations and there is a 30 day right to cure period. Furthermore, the consumer must notify the Attorney General within 30 days that an action has been filed.
  • Timeline for Compliance: The new requirements go into effect on January 1, 2020. The Act expressly gives the Attorney General the ability to adopt additional regulations to carry out the Act.

If you have any questions regarding privacy or consumer issues, please contact one of the authors or any member of Arnall Golden Gregory’s Privacy and Consumer Regulatory Practice Group

Montserrat C. Miller is a Privacy Partner and Bradford J. Kelley is an Associate in Arnall Golden Gregory LLP’s Washington, D.C. office.