Enterprise Procurement Alert | State of California Consumer Privacy Act of 2018
On June 28, 2018, the State of California enacted the California Consumer Privacy Act of 2018 (the “Act”), which includes some of the strongest consumer privacy protections in the United States. Although not as comprehensive as the recent European Union regulations, some are referring to the Act as “California’s GDPR.”
The Act strengthens California’s existing privacy laws in a number of ways, including by requiring covered businesses to provide consumers with additional transparency regarding their privacy practices, and granting consumers additional controls over how their data is used and monetized.
Specifically, the Act includes the following new components, among others:
- Very broad definition of personal information, covering internet activity information, geolocation data, biometric information, and a variety of other categories, in addition to more standard types of personal information;
- Rights for consumers to request information regarding the types of information covered businesses collect, and how that information is used;
- Requirements for covered businesses to provide a clear “opt-out” from the sale of consumers’ data (with stronger requirements regarding the sale of data involving minors under 16 years of age);
- The ability for consumers affected by certain data breaches to bring private lawsuits against business who do not maintain reasonably security procedures and practices; and
- Requirements for covered businesses to delete consumers’ data, upon request, with some exceptions.
The Act only provides rights to California residents and only applies to businesses who meet certain revenue or data processing thresholds. However, because of the difficulty in administering different privacy practices in different states, it requires significant changes to how companies across the United States handle personal information.
The new requirements were effective January 1, 2020, with enforcement to begin July 1, 2020. Other than the private right of action for data breaches resulting from negligence, the California Attorney General will be responsible for enforcement of the CCPA.
If you have any questions regarding the applicability of the Act, or if you would like assistance in ensuring you can comply with the new requirements, please reach out to us.