Since the European Union’s General Data Protection Regulation (GDPR) went into full effect on May 25, 2018, it has certainly had an impact on the privacy practices of U.S. multinationals with an EU presence, but the implications will get far more significant for everyone across the United States if California and other states follow suit by adopting new GDPR-like privacy laws.
On Thursday, June 28, California enacted a new privacy bill entitled California Consumer Privacy Act of 2018 (AB 375 or the Act), which will become effective January 1, 2020. The Act provides California consumers with expansive privacy rights and more control over the personal information that businesses collect on them. The Act also imposes the threat of civil penalties and statutory damages on businesses that don’t comply. California’s new privacy law is unprecedented in the United States and is sure to disrupt business operations as companies doing business in California figure out how to comply.
The passing of the bill into law is attracting a lot of attention countrywide. It will likely have a ripple effect on other states exploring increasing privacy protections. Even on a standalone basis, the California law will have tremendous impact given the magnitude of California’s economy relative the rest of the United States, the number of businesses that do business in California and the uniform nature of online webpages and apps used by residents in California and the other 49 states. Many insiders suspect that it will also foster greater sympathy for baseline comprehensive federal privacy legislation.
What will the Act do?
Who's covered? The Act applies to companies that do business in California and that meet one or more of the following three criteria: (1) have more than $25 million in annual gross revenue; (b) buy, receive, sell or share the personal information of 50,000 or more consumers or devices; or (c) derive 50 percent or more of their annual revenue from selling consumers’ personal information.