United States: "California Enacts Broad-Reaching Consumer Privacy Legislation"

With Governor Jerry Brown's signature this afternoon (June 28, 2018), the California legislature passed the most sweeping privacy legislation in the Nation, to avert what promised to be a wildly expensive and contentious showdown over a competing – and more controversial – initiative slated for the November ballot (the "Privacy Initiative"). The California Consumer Privacy Act of 2018 (the "Act") imposes upon businesses within its coverage major new compliance requirements and liability exposure. The Act's provisions go into effect on January 1, 2020. The Act requires businesses to implement a new infrastructure to provide California residents with extensive controls over virtually every conceivable form of personal information, including the rights to prevent the sale and to require deletion of their information. It also increases the exposure for any data breach. This Bulletin summarizes key aspects of the Act and highlights key differences between the Act and the Privacy Initiative and the European General Data Protection Regulation ("GDPR") that went into effect on May 25, 2018.

The Act's Requirements

The Act applies to personal information concerning natural persons who are California residents. It defines personal information expansively to include not only traditional personally identifiable information, but also such far ranging categories as purchasing history or tendencies, records of products or services provided, biometric data, geolocation data, and "audio, electronic, visual, thermal, olfactory, or similar information," "psychometric information" and any inferences drawn from any such information. The inclusion of "inferences" drawn from the enumerated categories of personal information casts a virtually uncircumscribed net and could broadly affect the data analytics operations (e.g., customer profiling) that pervade today's businesses. Personal information does not include information that is "de-identified," a term that the state Attorney General is authorized to redefine as technology evolves.

The Act grants California consumers: (1) the right to know what personal information is being collected, whether it is sold or disclosed, and to whom; (2) the right to access and seek disclosure of personal information a business has collected; (3) the right to opt out of the sale of personal information; and (4) the right to require deletion of personal information a business has collected. Further, the Act prohibits businesses from discriminating between consumers based on their exercise of any of these rights, which means that businesses also cannot offer premium, free or discounted products and services in exchange for the right to retain or sell consumers' personal information. In furtherance of these new rights, the Act requires that businesses provide two or more designated methods for submitting disclosure, deletion, and opt-out requests, including, at a minimum, a toll-free telephone number, and if the business maintains a website, a website address. With respect to opt-out requests, a business must provide a clear and conspicuous hyperlink on its Internet homepage titled "Do Not Sell My Personal Information" that enables the consumer to opt out of such sale.

The Act also imposes certain affirmative obligations on businesses within its coverage in relation to these new rights. First, at or before collection of personal information, businesses must inform consumers as to the categories of information collected and the purposes for which it will be used. Second, businesses must disclose to consumers that consumers have the right to request deletion of their personal information. Third, a business must, at least annually, update its online privacy policy (if it has one), as well as include the following in any California-specific description of consumer privacy rights: (a) a description of the consumer's rights under the Act; (b) categories of personal information it has collected in the preceding 12 months; (c) categories of personal information it has sold within the preceding 12 months, or that it has not sold such information; and (d) categories of personal information it has disclosed within the preceding 12 months, or that it has not disclosed such information.

In addition, the Act imposes numerous other compliance obligations on businesses, affecting everything from employee training to the provisions of contracts with entities with which they share consumer information. In a provision highly critical to businesses' risk exposure, the Act imposes liability for the unauthorized access and exfiltration, theft or disclosure of personal information as a result of a business' failure to implement "reasonable security procedures." The liability risk is high given the lack of definition around what constitutes "reasonable security procedures" and the negative inferences often drawn following a significant breach.

Businesses Covered Under the Act

The Act's provisions sweep a much broader base of businesses under its requirements than the Privacy Initiative would have. It applies to entities that do business in California and collect consumers' personal information, or on behalf of whom consumer personal information is collected (i.e., entities that employ a third party to collect consumer personal information), and satisfies one or more of the following thresholds: (a) annual gross revenues in excess of $25M (as opposed to the Privacy Initiative's $50M threshold); (b) alone or in combination annually buys, receives for the business' commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices, (as opposed to the Privacy Initiative's 100,000 threshold); or (c) derives 50% or more of its annual revenues from selling consumers' personal information. The Act also applies to any entity that controls or is controlled by a business that otherwise satisfies these criteria, and that shares common branding with such a business. With Californians comprising roughly 12% of the U.S. population, covered businesses will have to decide whether to implement separate processes for handling the personal information of California residents, or apply these new standards nationwide.

Exemptions under the Act are few. The Act's provisions cannot restrict a business' ability to comply with federal, state, or local laws. It expressly excludes personal information collected, processed, sold or disclosed pursuant to the Gramm-Leach-Bliley Act to the extent the Act conflicts with that law. The Act also would not apply to the sale of personal information to or from a consumer reporting agency if that information is to be reported in, or used to generate, a consumer report, and use of that information is limited by the Fair Credit Reporting Act. Other exceptions include compliance with federal, state, or local law enforcement investigations or cooperation with law enforcement.

Another very narrow exception applies if every aspect of a business's collection or selling of California residents' personal information takes place wholly outside of California. This narrow exception only applies where no personal information is collected while the consumer is in California and no part of the sale of the consumer's personal information occurs in California.

With respect to California consumers' right to request deletion of personal information, a business shall not be required to delete personal information that is necessary for the business to: (1) complete the transaction for which it is collected, or provide the good or service requested by the consumer, or reasonably anticipate within the context of the business' ongoing relationship with the consumer; (2) detect security incidents and prosecute those responsible for such activity; (3) enable solely internal uses that are reasonably aligned with the consumer's expectations based on the consumer's relationship with the business; or (4) to otherwise use such information internally, in a lawful manner that is compatible with the context in which the consumer provided that information.

Enforcement of the Act

According to Senator Hertzberg, whose office led compromise efforts with backers of the Privacy Initiative, the most significant issue with the Privacy Initiative was the broad potential for liability in the form of consumer suits. A chief difference between the Privacy Initiative and the Act is that the Act eliminates the private right of action provided by the Initiative, vesting enforcement authority exclusively in the Attorney General, except in the case of data breaches.

Specifically, the Act provides for a private right of action for statutory damages (capped at $750 per consumer per violation – compared to the Privacy Initiative's provision for $1,000 per violation, and $3,000 per willful violation) only in the case of a consumer whose nonencrypted or nonredacted personal information is the subject of a data breach as a result of a business' failure to implement reasonable security procedures. Moreover, prior to bringing such an action, a consumer must provide 30 days' notice to the business of the alleged violation, with the business having an opportunity within that 30 days to cure. This provision is similar to the notice and cure provision in California's Consumers Legal Remedies Act. (While it is difficult to imagine how a business would cure a data breach in response to a notice and cure notification from a consumer, the notice may provide an alert that would facilitate mitigation efforts.) After complying with the notice and cure provision, the consumer also must notify the Attorney General within 30 days of filing suit. The consumer may only proceed with the action if the Attorney General takes no action in response to the notice within 30 days, or if the Attorney General advises within 30 days that he or she will prosecute an action but takes no steps to prosecute within six months. The Act also does away with the Privacy Initiative's provision that a mere violation of its provisions shall be deemed to constitute an injury in fact, regardless of pecuniary loss.

All other authority for enforcement of alleged violations is vested exclusively in the Attorney General in the form of a civil action for civil penalties. Civil penalties are to be assessed in accordance with Section 17206 of the California Business and Professions Code, and shall not exceed $2,500 for each violation, or, in the case of a willful violation, $7,500 for each violation. Twenty percent (20%) of any civil penalties awarded, or the proceeds of any settlement of such an action, shall be allocated to the Consumer Privacy Fund, to be created by the Act, with the remaining eighty percent (80%) allocated to the jurisdiction on whose behalf the action was brought.

Relation to the GDPR

While the Act moves California closer to the stringent data protection requirements of the GDPR, there are several key differences.

The GDPR focuses on regulating businesses' collection of personal data to ensure consumer privacy. Data may only be collected for legitimate purposes, and businesses are prohibited from processing personal data outside of the legitimate purpose for which it was collected. Moreover, businesses may not request personal data beyond that which is necessary to effect the purposes for which it is collected, and are required to delete such data once the purpose for which it was collected is fulfilled. Further, the GDPR requires that data subjects provide affirmative consent for any use of collected data beyond that for which it was collected. The GDPR also requires businesses to design systems that collect and store personal data with technological mechanisms in place so as to ensure the protection of such data. In addition, the GDPR requires that businesses subject to its jurisdiction provide a privacy notice to data subjects.

The Act shares some similarities with the GDPR's rights and requirements. Namely, both provide a right to obtain from businesses the categories of data collected and the purpose for the collection. And both the GDPR and the Act provide a right to receive not only the categories of personal information collected, but also the specific personal information collected and stored. Further, both the GDPR and the Act establish a right to request deletion of personal information collected (referred to in the GDPR as the "Right To Be Forgotten"). However, apart from the affirmative consent requirement, the GDPR contains no separate provision establishing a right to request that personal information not be sold, found in Act. Moreover, while the GDPR requires that businesses subject to its jurisdiction proactively send privacy notices to data subjects, the Act does not impose privacy notice requirements beyond those under existing law, other than requiring that businesses notify consumers of certain rights under the Act and periodically update their existing policies and notices. Rather, the Act places the onus on consumers to exercise the rights created thereunder and affirmatively request disclosure. Nor does the Act require, as the GDPR does, that businesses which collect large scale personal information of California residents employ a Data Protection Officer to ensure internal compliance with regulations.

Some provisions of the Act go beyond those of the GDPR. The Act's definition of personal information is far more sweeping than that of the GDPR in its inclusion of such categories as "audio, electronic, visual, thermal, olfactory, or similar information," geolocation data, "psychometric information" and any inferences drawn from any such information. Further, the Act precludes businesses from offering free or discounted versions of their services (e.g., a free or discounted app) in exchange for granting the business the right to market personal information collected, or a paid version that brings with it no right to market such information. The GDPR contains no such prohibition.

In short, despite being a slight improvement over the withdrawn Privacy Initiative (especially in providing additional time for implementation and scaling back the threat of private litigation), the Act imposes major new data protection burdens and risks on businesses that collect any form of personal information concerning California consumers. The Initiative, if adopted, would have required a 70% supermajority in each house of the California legislature, as well as the governor's signature, to change – a possibly insurmountable obstacle. In contrast, the Act is subject to the normal legislative process and is likely to be the subject of future hotly-contested amendment efforts. In the meantime, any business that collects or uses the personal information of California consumers should promptly assess a revamping of its compliance system and relationships with entities with which it shares consumer information – including determining whether to apply the stringent California standards nationwide.

The attorneys of Stroock's Financial Services Litigation, Regulation and Enforcement Group are well positioned to answer any questions that you may have about the scope and impact of the Act, as well as related issues.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions