Thought Leadership

California in the Data Privacy Spotlight: California Passes Sweeping Data Privacy Law in Record Time

Client Updates

The General Data Protection Regulation ("GDPR" or "Regulation"), which came into effect in the European Union ("EU") on May 25, 2018, has in many ways put a spotlight on the regulation of data privacy, or lack thereof, in the U.S. In the United States, there are no uniform data privacy regulations with the same comprehensive reach as the GDPR. Current federal U.S. regulations are narrow in scope or target only certain classes of data - for example, regulations that specifically target medical or financial data. Lacking nationwide regulations, local legislators and city residents have taken another look at their own privacy regulations and have proposed various laws designed to strengthen consumer privacy rights.

California was already leading the charge on individual state privacy legislation in the US when on June 28, 2018, just one week after its proposition, the California Consumer Protection Act ("CCPA") was passed and signed into law as AB 375. Set to take effect on January 1, 2020, the CCPA catapults California into the position of having the most comprehensive, significant, and widespread regulation of data collection in the U.S. The law gives consumers significantly more control over what data is collected and how it is used and bears some conspicuous similarities to the GDPR. Specifically, the CCPA defines "consumer" broadly to include all California residents.

The rapid turnaround for this bill is due to a ballot initiative of the same name that, after having reached double the required number of signatures, was set for a vote in November 2018. This ballot initiative sought to bring many of the protections of the GDPR to the U.S. and was in many ways a much stronger predecessor to the Act. The threat of the initiative going onto the November ballot - and having a very favorable 80% positive advance polling - spurred California legislators into action on the bill. The Act being very much a compromise from the ballot initiative. State technology and business lobbies were vehemently opposed to the ballot initiative, and they saw the CCPA bill as the lesser of two evils. Per the compromise between legislators and the initiative's proponents, the initiative was withdrawn after the June 28, 2018 passage of the CCPA bill - literally hours before the deadline to withdraw November 2018 ballot initiatives.

Three central aspects of the ballot initiative were incorporated into the CCPA: (1) the right to know what data is being collected; (2) the right to opt out of that collection, and (3) the right to hold companies liable for data security breaches.

The CCPA has an expansive definition of "personal information" which includes any information that identifies, relates to, describes, or could reasonably be linked to an individual consumer or consumer household. The definition, which is similar to the definition of "personal data" in the GDPR, encompasses biometric data, IP addresses, internet activity, and profiles based on inferences gleaned from bits of data and internet activity. In fact, the Act takes a broad view of many definitions, including "collect," "sale," and "business purpose."

Individual Rights. The CCPA establishes a set of consumer rights, many of which mirror the GDPR (including the right to be forgotten).

1. Right to know what information is being collected. The CCPA requires businesses to inform consumers of the categories of information that it collects and prohibits businesses from collecting additional categories without disclosure.
2. Right to request and receive, in a readable format, the data that has been collected.
3. Right to know the purpose for which the data is collected as well as the categories of third party entities with whom the data is shared.
4. Right to be forgotten. Consumers may request deletion of the data a business has on them. This right includes certain exceptions.
5. Right to receive notification if a business sells their personal information.
6. Right to opt-out of the sale of personal information, which may include the ability to direct businesses to stop the sale of personal information if earlier consent was given. This should be in the form a "Do Not Sell My Personal Information" link that allows a consumer to opt out.
7. Right to equal treatment. A business may not deny services or otherwise discriminate against a consumer because of the consumer's refusal to consent to the sale of their personal information. This right includes certain exceptions.

Enforcement. The CCPA is enforced by the Attorney General and of particular interest is the CCPA's creation of a private right of action for consumers in the event of a data breach. Compared to what was proposed under the ballot initiative, however, the Act curtails the initiative's private right of action. Under the CCPA, a consumer who has had his/her personal information compromised as a result of a company's failure to maintain reasonable security procedures and practices appropriate to the personal information it is collecting may sue that company. A consumer may file a lawsuit subject to statutory damages of $100 to $750 per individual. Otherwise, the CCPA is subject to enforcement by the state attorney general for violations.

Applicability and Scope. The CCPA applies to any entity that does business in California and that collects personal information from or about California residents and that meets one of the following thresholds: (1) annual gross revenue exceeding $25 million; (2) collects information from at least 50,000 consumers, households or devices; or (3) derives at least half of its revenue from the sale of consumer personal information. The CCPA includes no restrictions to the sale of data in the aggregate - where information cannot be linked to any individual.

In anticipation of the changes to California law that will go into effect on January 1, 2020, U.S. companies should continue to investigate their use and collection of personal information and data. It is important to note that the CCPA is likely not in its final form, as businesses will undoubtedly continue to advocate for amendments and legislators will fine tune and may significantly alter it between now and 2020.

Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit

Related Professionals