Consumer Privacy: California Follows in the Footsteps of GDPR

• Transparency of Data Collection and Processing – organizations doing business with California residents will need to provide detail around what personal data is collected, shared, or sold. Organizations will need to also provide detail around how the data is used and to whom the data will be disclosed.
• Right to be Forgotten – for those California residents that are not actively doing business with an organization, the resident can request that their personal data be deleted.
• Required Notice and Opt-Out – Should your business buy personal data (think lead lists, etc.), this affects you. Organizations selling the personal data cannot include California residents unless the resident has been notified of the sale and giving an opportunity to opt-out.

The big question everyone is asking around these data privacy laws is “does it apply to me?”

In the case of the California Consumer Privacy Act, the law applies to for-profit businesses that do business in California and meet one or more of the following criteria:

• Have annual gross revenue of $25 million or more;
• Collect, sell or share for commercial purposes the personal information of at least 50,000 consumers, households or devices; or
• Derive at least 50% of its annual revenue from selling consumers’ personal information.

Unlike GDPR, which has specific text and processes regarding breaches, the California Act has very little to say around protecting against breaches, nor spells out any penalties should a breach happen. The Act was given an effective date in 2020 to allow the California legislature to amend the bill. So, be on the lookout for updates to this act around breaches, notification, and penalties.