GDPR-Style Data Privacy Law Signed into California Legislature

California governor Jerry Brown has signed AB 375 – the California Consumer Privacy Act of 2018 – into law after the Senate and Assembly made a unanimous decision to pass the bill.

California currently has some of the strictest privacy laws in the U.S. According to present laws, companies that suffer a breach of private data should advise affected persons in the event that their electronic data is disclosed or stolen. With AB 375, California residents get even greater privacy protections. The new law has been compared to GDPR due tot he additional rights that are given to state residents. These new rights include:

  • The right to request a business provides information about the types of personal information that is collected, processed, and stored, and the source of that information
  • Be advised about the reason for gathering, processing, and selling personal information
  • Third parties with whom the personal data is disclosed
  • The right to request a business provide a copy of all personal data that is held on an individual
  • The right to request the deletion of all personal data that is held
  • The right to request that personal data is not sold
  • The right to launch a civil action in case there is failure to protect an individual’s private information

The law will likewise protect against any discrimination of a person who decides to exercise the above rights, for instance, charging such a person more or giving goods or services of lower quality.

The Act additionally forbids companies from selling the private information of persons from 13 to 16 years old, except if he/she authorized it by opting in. Persons less than 13 years old must provide the consent of a parent or legal guardian prior to the collection of personal information.

Businesses must explain, prior to the collection of personal data, the categories of data that they will collect and the reason for collecting such information. Businesses will not be allowed to collect more data than is stated in their client notices. Clients should also be informed of their right to request the deletion of their information at the time the consent is obtained.

Businesses should put on their website homepage a clear link to a “Do not Sell My Personal Information” page, where the user can choose to opt out of the selling of their private information.

The Act does not cover the protected health information (PHI) that HIPAA-covered entities collect, as stated in the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56 of Division 1)) or information covered by the HIPAA Privacy, Security, and Breach Notification Rules that the federal Department of Health and Human Services has issued, or Parts 160 and 164 of Title 45 of the Code of Federal Regulations in the Health Insurance Portability and Availability Act of 1996.

The California Consumer Privacy Act of 2018 has been criticized as a hurried attempt to avoid a voter initiative that would’ve been included on California ballots in November in case the bill was not approved. The Internet Association also heavily criticized the bill for the lack of public dialogue and process related to such a far-reaching bill. The Internet Association issued a statement saying policymakers should work to address the unavoidable, negative policy and compliance implications of the bill on California’s consumers and businesses.

Although the California Consumer Privacy Act of 2018 was signed into law, it may be modified prior to its effective date on January 1, 2020.