Get updates by email

Select Specific Blog Updates

Paul Zimmerman

Photo of M&R Blog

Wavebreak Media Ltd ©

The GDPR Comes to the Golden State

California has hopped on the General Data Protection Regulation (GDPR) bandwagon with the California Consumer Privacy Act just signed into law by Governor Jerry Brown. The new data privacy law – which was unanimously approved by the state legislature and is the strictest in the U.S. – is GDPR-like to the extent it allows consumers to control how their personal data is collected, processed and shared.

Essentially, the law, which goes into effect on January 1, 2020, gives Californians “the right to know what personal information (PI) is being collected about them and whether their PI is being sold and to whom; the right to access their PI; the right to delete PI collected from them; and the right to opt-out or opt-in to the sale of their PI, depending on age of the consumer” – this according to a comprehensive legislative summary by the Assembly Committee on Privacy and Consumer Protection. In addition, children under 16 must opt in for their information to be sold. No doubt, this is a law that will shake the halls in Silicon Valley.

The following questions and answers should shed some light on the Privacy Act:

Who does the law apply to?

Businesses that collect information from California residents and (1) have over $25 million in annual gross revenue; (2) buy, receive, sell or share for commercial purposes the PI of 50,000 or more consumers, households or devices; and/or (3) derive 50% or more of their revenue from the sale of consumers’ PI.

What is the definition of PI?

Anything that is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, including identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers. Of note, any identifying information not otherwise publicly available would not be protected by the law.

However, the Privacy Act specifically does not restrict a business’s ability to “[c]ollect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information,” so long as the business has implemented technical safeguards and business processes that prohibit reidentification and does not attempt to reidentify the information.

What must companies disclose to California residents?

The categories and specific pieces of PI collected about any given consumer, the sources from which that information is collected, the purpose for collecting or selling PI, the categories of PI sold, and the categories of third parties to whom the PI is shared.

What are the opt-out requirements?

As referenced above, consumers can prohibit businesses from selling their PI. To comply with this opt-out option, companies must conspicuously post their privacy policies online as well as a link titled “Do Not Sell My Personal Information.”

The statute also prohibits businesses from discriminating against consumers who exercise their rights, such as refusing to sell to them or charging different prices or rates for goods or services (unless the difference is reasonably related to the value provided to the consumer by the consumer’s data).  That being said, the law also allows businesses to offer financial incentives to consumers relating to the sale of their personal information.

Who can bring suit under the Privacy Act?

With its enactment, the Privacy Act renders moot a similar ballot initiative that was set to be voted on in November – an initiative, since removed from the ballot, that was vigorously opposed by tech-centric companies like Amazon, AT&T, Facebook, Google, Microsoft, Uber and Verizon.

Unlike the proposed ballot initiative, the power to enforce the law is almost exclusively that of the state Attorney General. That being said, in data breach cases in which the Attorney General declines to prosecute within 30 days of being notified of a consumer’s intent to bring suit, the consumer can proceed with an action, though companies must be given 30 days’ written notice and an opportunity to “cure” the noticed violation within that time period. Likewise, businesses will have 30 days to cure any violations after receiving notice of noncompliance from the state Attorney General.

The other good news for California companies is that the law does not impose monumental fines such as those contemplated under the GDPR – the greater of 20 million Euros or 4% of a business’s annual worldwide turnover. Instead, the Privacy Act permits consumers to recover the greater of up to $750 per violation or their actual damages; however, where a business has intentionally violated the statute, the Attorney General can recover a civil penalty of up to $7,500 per violation.

Of course, if you have any questions about the California Consumer Privacy Act, the privacy and compliance specialists at Michelman & Robinson, LLP are here to help. For questions relating to Cybersecurity and Data Privacy, contact Scott Lyon at or call (714) 557-7990.

This blog post is not offered as, and should not be relied on as, legal advice. You should consult an attorney for advice in specific situations.