New Data Privacy Law Signed by California Governor Offering GDPR-Style Protections

The California Consumer Privacy Act of 2018, AB 375, has been signed into law. California governor Jerry Brown signed the bill on Thursday following the passing of the bill by the state Senate and Assembly. California already has some of the strictest privacy laws  in the United States; however, following the passing of the California Consumer Privacy Act, they will be the strictest in the country, offering the best protections for state residents.

The The California Consumer Privacy Act bears a number of similarities to the EU’s General data Protection Regulation (GDPR), giving state residents the following new rights:

  • The right to request businesses that collect personal data of data subjects to disclose what data is collected and processed and where those data came from
  • To be advised why personal data are collected, used, or sold
  • To find out the classes of third parties to whom the data are disclosed
  • The right to ask for a copy of all personal data that are collected/processed
  • The right to to request deletion of all personal data
  • The right to request that the data collector does not sell on personal data
  • The right to take legal action when there is a failure to safeguard a individual’s personal information

The new law also forbids any company from discriminating against a person who decides to exercise the above mentioned rights, including increasing the cost of goods or services or offering lower quality goods or services.

The Act likewise forbids businesses from selling the personal information of minors aged between 13 to 16 years, except if authorized to by means of opting in. With persons younger than 13 years old, a parent or legal guardian is required to give consent before personal data are collected.

Businesses need to explain, at the point of collection or prior to collection, the types of information that will be obtained and the reason for which the data is being collected. Businesses are not allowed to collect more information than what is mentioned in their privacy policies. Consumers should also be informed about their right to request deletion of their personal information at the point that consent is obtained.

Businesses should put a clear hyperlink on their website homepage with the link text: “Do not Sell My Personal Information”. When clicked, the link should take the user to a page where he/she can opt out and prevent their data from being sold on.

The new Act is not applicable to protected health information (PHI) that HIPAA-covered entities collect. That information is already covered by the

  • Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56 of Division 1))
  • The HIPAA Privacy, Security, and Breach Notification Rules issued by the federal Department of Health and Human Services, Parts 160
  • 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Availability Act of 1996

The California Consumer Privacy Act of 2018 has been criticized by many businesses and the Internet Association, in part due to it being rushed through without being fully considered. While the bill has been signed into law, it is possible for the Act to be amended prior to its effective date of January 1, 2020.