California’s New Consumer Privacy Act

California’s New Consumer Privacy Act

By Rudy E. Verner and Jacob Scarr


The new California Consumer Privacy Act of 2018 makes substantial additions to California’s existing privacy regulations, with some calling it the strictest privacy law in the U.S.

Reading like Finnegan’s Wake and spanning more than 20 pages, the Act tracks much of the GDPR and creates rights for California residents that include the right to access their online data, the right to information portability, and the right to have their data deleted. The Act, which goes into effect January 1, 2020, is notable for prohibiting businesses from discriminating in their services and prices against consumers who exercise their online privacy rights. A few significant provisions of the law include:

Businesses covered by the law include any company that collects consumers’ personal information or determines the purposes and means of processing consumers’ personal information.  The company must do business in California and:

  • report annual gross revenues in excess of $25 Million Dollars; or
  • purchase or receive personal information for a business purpose, or sell or share the personal information of 50,000 or more consumers, households, or devices; or
  • derive 50 percent or more of its revenue from selling consumer information.

Personal Information under the Act is expanded to include browsing and search history and “information regarding a consumer’s interaction with an Internet Web site.”

Rights afforded to consumers under the law include the right to request access to their information, the right to transmit the information to another entity, the right to request that a business delete personal information collected about the consumer, and the right to opt-out of the sale of their information to third-parties. Companies will be required to inform consumers of their rights at the point of collection, much like the GDPR, and must comply with these requests within 45 days for most cases. Companies will also have to alter their homepages and provide a mechanism to opt-out of the sale of information through a link titled “Do Not Sell My Personal Information.”

Businesses are prohibited from discriminating against consumers for exercising any of their rights. California’s law limits businesses from denying goods or services, charging different prices, or providing a different level of quality based on the consumer’s choice to opt-out their data. However, the law provides a fairly large exception for differences “that are reasonably related to the value provided to the consumer by the consumer’s data.” What exactly this exemption entails will be up to California courts and lawmakers to clarify.

A private right of action is authorized for data breaches and unauthorized disclosure of data with statutory damages of up to $750 per consumer per incident. Actions may be brought by individuals or as a class subject to notification requirements.

The Act adds a broad range of other changes and requirements to California’s existing privacy laws including those concerning data security procedures, privacy policies, children’s privacy, and disclosures. Businesses with a presence in California should pay close attention to the law and be prepared to comply once it goes into effect in 2020.

If you have any questions regarding California’s new Consumer Privacy Act or other privacy or data security matters, contact Rudy E. Verner at BHGR Law at 303-402-1600.  You can find the text of the California Consumer Privacy Act of 2018 at

This article is intended to provide general information and, therefore, should not be treated as legal advice. If you have questions about a specific legal issue, you should seek the advice of a qualified attorney.