Government Affairs

California Adopts New Consumer Data Privacy Law

On 28 June 2018, California Governor Jerry Brown signed into law the California Consumer Privacy Act of 2018 (AB 375).

California is the first state to adopt comprehensive rules on the rights of consumers regarding control of their personal information. The new rules take effect on 1 January 2020.

The California Consumer Privacy Act (CCPA) provides consumers in California with five general rights pertaining to the privacy of their personal information. Starting in 2020, Californians will have the ability to:

  1. Determine the information of theirs which is being collected
  2. Find out their specific information which is being sold or revealed to third parties
  3. Prevent the sale of their information
  4. Obtain access to their information being held
  5. Invoke control of their information without being penalized in the price or level of service by that particular business

The California Attorney General is directed to seek public input in developing the regulations implementing the rights.

How This Impacts Mobility

While there are expected to be changes to the new law before it takes effect, as written it will have an impact on the mobility industry for companies that meet one of the thresholds and collect or control the personal information of California transferees or provide that information to suppliers or third parties who use the data.

The Act applies to any for-profit business that collects consumer information and meets at least one of three criteria. It applies to companies that process information and have an annual revenue of more than $25,000,000, handle the information of 50,000 or more consumers or make 50% or more of their income from selling consumer personal information. The new law does not apply to activity of a business if it is conducted solely outside of California and if the information was not obtained while the consumer resided in California.

Related: GDPR Now Underway Across the Globe

U.S. Response to GDPR?

In addition, the new law reflects many aspects of the new European Union (EU) General Data Protection Regulation (GDPR) such as the ability of the consumer to request to have their personal data deleted.

In some cases, the California law goes further than GDPR with one example being the ability of consumers to profit from the sale of their data.

The California law is not as broad as GDPR but is enforceable within the U.S. court system. Consumers whose information is breached can sue for damages ranging from $100 to $750 per incident.

The California Consumer Privacy Act sailed through the California State Legislature with passage in a matter of weeks. The proposal was set to be a ballot initiative in the upcoming elections in November, but the California State Legislature moved quickly to report out the legislation before the 28 June deadline to remove the ballot initiative from consideration.

Businesses in California that collect consumer data for the large part did not oppose the measure because the ballot measure would have been even stricter.

Advertisement