New privacy legislation hastily enacted in California

California lawmakers enacted a new privacy-centric law known as the “California Consumer Privacy Act of 2018” (CCPA). The CCPA will take effect on January 1, 2020.

This comprehensive legislation shares certain similarities with the European General Data Protection Regulation (GDPR) that became enforceable this May. Amongst other similarities, the CCPA adopts a number of GDPR principles, such as a ‘data controller’ and the GDPR’s broad definition for ‘personal information’. 

The new legislation gives Californians a right to review the information that businesses collect about them, request its deletion, and be told who the information may have been sold to and request to cease such sale of data. The new law also gives consumers the right to opt-out of the sale of their personal information by a business, and at the same time, prohibits the business from discriminating against the consumer for exercising this right. 

The Attorney General of California is responsible for the enforcement of the CCPA while consumers have no causes of action under the new law except in cases of data breaches. 

The CCPA was hastily enacted in order to eliminate a ballot initiative seeking to enact a much harsher privacy law. The ballot initiative had earned the support of more than 600,000 Californians, but its initiators promised to withdraw it if an appropriate privacy law is enacted. Until it takes effect in about 18 months, lawmakers have plenty of time to amend the law before it becomes applicable.