California Residents Gain Strongest Data Privacy Rights in US

Wednesday August 22nd, 2018 by Pierson Klein


Data privacy law in California just took a giant step forward. The new California Consumer Privacy Act, which was passed at the end of June 2018, is the strictest data privacy law in the United States to date. With many GDPR-like qualities, this new legislation could signify a larger trend in US policy regarding data protection and privacy rights – especially due to California’s status as reigning US tech innovator and home to many of America’s largest most competitive technology companies. Longer term, the commitment to data privacy rights within America’s most populous state could increase the pressure for other states, or even the federal government to follow suit.

The California Consumer Privacy Act: Another GDPR?

The California Consumer Privacy Act incorporates several aspects of the GDPR into its legislation. It has a broader definition of personal data, and it emphasizes transparency with respect to the processing of data. Additionally, the law promotes subject access requests, the right to be forgotten, and data portability. It will enable data subjects to request the categories, sources, and business purposes of personal data collected by a company, and the data subjects can request what categories of personal data are being sold to different classifications of third parties.

Furthermore, a company must disclose information as to what specific personal data is collected, how it is collected, its purpose, and to whom it is shared and sold within 45 days of a data subject’s request. The company must have a way of verifying the identity of the individual making the request. Also, the business must publish its privacy policy online and include a conspicuous link saying “Do not sell my personal information” if it sells personal data.

Despite the obvious regulatory hurdles, the positive side for many tech companies is that much of what they have already undertaken to comply with the GDPR will serve them well once the California Consumer Privacy Act becomes Law.  Companies still not prepared for GDPR regulation, on the other hand, may now be under twice the pressure – and possibly suffer twice the scrutiny.

Data Privacy in California: Who is Affected?

The law protects any data subject who is a “natural person who is a California resident,” and it creates regulations for companies that conduct business in the state of California and collect consumers’ personal information for profit. Also, it must meet at least one of the following criteria: it has a gross revenue of more than $25 million annually, “alone or in combination, annually buys, receives for the business’[s] commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices,” or 50% or more of annual revenue comes from selling consumers’ personal data.

Just as companies outside of Europe who are handling the personal data of Europeans must comply with GDPR mandates, companies not within California’s borders are similarly compelled to comply with the state’s new data privacy requirements.  With the state set to surpass 40 million residents by the time the law comes into effect, it’s also fair to say that nearly all companies who handle the personal data of American consumers will be affected by this legislation to some degree.

A Different Approach from the GDPR

The penalties of the California Consumer Privacy Act reflect an American style compared to GDPR penalties. First off, the law allows consumers to sue the business for a violation. It is also possible for a company to be prosecuted by the California Attorney General if the violation is not corrected within 30 days. An organization could also be required to pay damages of up to $750 per consumer after a data breach, and if a company intentionally violates the law, they may be fined up to $7,500 according to each violation. Under the GDPR, a company faces a fine of €20 million or 4% of annual global turnover. Comparing penalties, the GDPR places much harsher penalties on companies, but the California legislation still indicates a significant shift in the U.S. perception of data privacy and consumer rights.

Under the GDPR, data processing requires a legal basis for the processing of personal data. If there is not a legal basis, consent is required from the data subject; without this consent, their personal data cannot be lawfully processed. However, a data subject’s consent to the processing of their personal data under the California Consumer Privacy Act appears to be assumed. The data subject can decide to opt-out of the sale of their personal data, rather than what would be seen as “opting-in” under the GDPR. Although consumers would be protected from a business discriminating against them for this reason, the businesses are still allowed to offer a financial incentive for allowing the sale or collection of personal data. Additionally, the right to opt-out will be honored for a minimum of one year before a company asks again. Nevertheless, assumed consent of data subjects in California highlights that although this is a progressive law in the United States, it still lacks much of the privacy rights gravitas established by the GDPR.

Consumer Privacy: 2020

The California Consumer Privacy Act will go into effect on  January 1, 2020, allowing businesses less than 18 months to prepare for the new regulations. While the Act is the first key example of data privacy legislation in the United States, it will not be the last. California’s significant influence over the technology sphere will quickly establish the importance of data protection—one that is likely to have an impact at both the the state and national level.  Even under current legislation, it’s unlikely that all consumers will remain happy with a company providing one set of superior privacy services to California residents and another set of services to everyone else.  Additionally, once a company has the capability, why not enable the same privacy process for all of their users and customers? Whether the incentives are political or for profit, the requirements for companies to provide advanced privacy options for consumers are becoming increasingly unavoidable.


Pierson Klein joined TechGDPR’s team as Legal Intern this summer. She is majoring in Law, Jurisprudence, and Social Thought at Amherst College (2020) in the U.S.A.

Follow TechGDPR on Twitter.


How to use legitimate interest under the GDPR?
January 29th, 2021

The impact of the GDPR on Big Data
December 1st, 2020

International Transfers of Personal Data after the Schrems II ruling
August 6th, 2020

A Comparison of POPIA and GDPR in Key Areas
July 28th, 2020

HIPAA, the GDPR and MedTech
July 23rd, 2020

Small meetings under the COVID-19 ordinance in Berlin
March 18th, 2020

Response to the GDPR-relevant points in the German Blockchain Strategy of September 2019
September 29th, 2019

GDPR compliant products debunked: it’s all about HOW you use it
September 26th, 2019

GDPR’s Right to be Forgotten in Blockchain: it's not black and white.
August 13th, 2019

What is the difference between personally identifiable information (PII) and personal data?
June 27th, 2019

Artificial Intelligence (3)
Berlin (1)
Beyond EU (6)
Big Data (2)
Blockchain (10)
Comparison (1)
Court Cases (1)
Data Subjects (6)
DLT (1)
DPO (2)
European Commission (2)
GDPR Canvas (1)
GDPR Status (2)
Germany (2)
International Transfers (1)
IoT (4)
Privacy by Design (7)
Regulation (3)
Speaking (1)
Startups (1)
Strategy (2)
Terminology (2)
Uncategorized (2)
WiFi (1)
Workshop (2)
Article 17
Artificial Intelligence
Big Data
call center
CJEU ruling
Cold calling
Data transfers
European Commission
GDPR Analysis
GDPR Compliance
GDPR so far
gdpr workshop
gdpr year one
German Blockchain Strategy
International transfers
medical data
one year gdpr
open workshop
personal data
personally identifiable information
Privacy by Design
privacy policy
Retail Analytics
right to be forgotten
right to erasure
Schrems II
south africa
January 2021 (1)
December 2020 (1)
August 2020 (1)
July 2020 (2)
March 2020 (1)
September 2019 (2)
August 2019 (1)
June 2019 (3)
May 2019 (2)
April 2019 (1)
February 2019 (2)
January 2019 (1)
December 2018 (2)
October 2018 (1)
September 2018 (1)
August 2018 (3)
July 2018 (4)
June 2018 (1)
March 2018 (1)

Contact us to find out how we can help you with your GDPR compliance.