Yesterday Gov. Jerry Brown signed California Consumer Privacy Act of 2018, which grants California residents unprecedented control over the collection, use, and sale of personal information. Many have already speculated that other state legislatures will follow suit and adopt a similar law in their own states, as has occurred in the wake of past California laws on data privacy and security. A copy of the law can be found here.

Among other provisions, the law states that:

  • Californians have the right to request that a business that collects a consumer’s personal information disclose what categories and specific pieces of personal information the business has collected;
  • Californians have the right to request that a business delete any personal information about the consumer;
  • Californians have the right to direct a business not to sell the consumer’s personal information, which is referred to as the right to opt out; and
  • Californians can bring a private right of action against a company if there is an unauthorized breach of non-redacted or non-encrypted personal information.

As written, the definition of “Personal Information” goes beyond every existing data breach notification law in the United States to include, “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

The California Consumer Privacy Act is set to go into effect in 2020, but is subject to change after it has gone through the amendment process. The California Attorney General will also play a key role in adopting regulations to elaborate on the law, as the law requires the Attorney General to solicit “broad public participation”.

Additional analysis is forthcoming as Password Protected continues to monitor developments surrounding the law.