United States: California Enacts GDPR-Like Consumer Privacy Protections: What You Need To Know

The state of California recently enacted the most sweeping general privacy statute in the United States. The California Consumer Privacy Act, codified in Assembly Bill 375 ("CCPA"), will take effect on January 1, 2020, and is intended to give California consumers more control over their personal information and how it is collected, used and sold by companies. The CCPA was modeled on the California privacy ballot initiative that was set to be voted on in November (but has since been withdrawn) and applies to companies of a specific size or engaging in certain activities in California.

Coverage of the CCPA

Unlike existing state and federal privacy laws, which tend to focus on a specific sector or type of personal information, the CCPA applies across industries and to a wide range of consumer information, providing protections to a significant numbers of consumers. The CCPA covers for-profit companies doing business in the state of California that satisfy one of the following criteria: (1) has annual gross revenues in excess of $25 million (as adjusted), (2) annually buys, receives, sells or shares personal information for commercial purposes of 50,000 or more consumers or (3) derives 50 percent or more of its revenues from selling consumers' personal information.

While service providers1 are not expressly covered, companies face certain restrictions on the "selling" of personal information to third parties. The CCPA exempts from those restrictions the sharing of personal information for business purposes with a service provider if (1) the company has provided sufficient notice to the consumer of this sharing and (2) the service provider does not further collect, sell or use the personal information except as necessary to perform the business purposes. Furthermore, the CCPA excludes from the definition of "third party" those parties with whom the company shares personal information for a business purpose and pursuant to a contract meeting certain identified conditions. Companies will need to review their contracts with service providers and make any necessary changes before the effective date.

Key Components of the CCPA

The CCPA imposes a number of new obligations that go beyond what is generally required or expected under existing federal or state privacy laws. To date, US privacy laws have focused on requiring disclosures regarding companies' information practices, enforcing the commitments made to consumers regarding those practices and restricting sharing consumer information with unaffiliated third parties for marketing purposes.2 Recent attention to data issues at the state level have focused largely on information security and notice in the event of unauthorized access rather than providing consumers with additional rights with respect to the collection, use, sharing or sale of personal information. The CCPA, therefore, is a departure from the approach of most current US privacy laws in its focus on providing consumers with new rights and protections with respect to broad categories of personal information collected about them. While a few recent laws, such as the New York Department of Financial Services cybersecurity regulation, have included somewhat similar provisions aimed at limiting data retention, the CCPA will significantly alter the current framework in the US regarding consumer access and the retention of information.

While the CCPA's focus on consumer rights has drawn comparisons to it and the EU General Data Protection Regulation ("GDPR"), companies should not assume that by extending their GDPR compliance to California they will satisfy the state's new law. Although a company with a GDPR compliance program will find it easier to adapt to the CCPA, key differences between the rights granted by each law will require companies subject to the CCPA to closely evaluate the new law and to ensure that they have the operational, technical and contractual ability to effectuate the rights of consumers with regard to any personal information they collect. Additionally, the GDPR introduces new restrictions on certain processing and imposes recordkeeping and other obligations as part of a company's general privacy compliance program that are not specifically required by the CCPA.

The key components of the CCPA:

  1. Broader definition of "personal Information": Unlike many privacy statutes in the United States, the CCPA uses a very expansive definition of personal information to include "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." Specific categories addressed in the CCPA include, among other things, unique identifiers, biometrics, geolocation data, browsing and search information, and "inferences drawn" from such personal information that are used to create a profile about a consumer. The definition excludes de-identified or aggregate information or information that is publicly available from federal, state or local government records.
  2. New disclosure requirements. The CCPA gives consumers the right to request that a company disclose the categories and specific pieces of personal information it has collected about them in the past 12 months, as well as information about that data—the source of the information, what a company does with it and the categories of third parties with which it shares the data. Consumers can make such requests no more than twice a year and at no charge to them, and companies must respond to verifiable requests within 45 days, which can be extended. Although similar to California's current "Shine the Light" law, the CCPA imposes disclosure obligations on a much broader set of companies and applies to a broader set of data processing activities compared to the "disclosure" of personal information for direct marketing purposes requirements of the "Shine the Light" law.
  3. New right to delete. The CCPA gives consumers the right to compel companies to delete personal information "collected from the consumer." There are certain exceptions to this, including data collected to protect against fraud or other illegal activity, enable internal uses that are reasonably aligned with consumer expectation and complete a business transaction with the consumer. Complying with the new rights to delete and disclose data may require companies to make certain operational changes to how they store and process personal information, as well as make changes to their vendor agreements.
  4. New restrictions on sale of data. The CCPA gives consumers the right to opt out of the sale of their personal information, and companies must obtain opt-in consent from anyone under 16 years of age (which must come from parents or guardians if the consumer is under the age of 13). While opt-out rights are standard under the Gramm-Leach-Bliley Act, the California Financial Privacy Act and the GDPR require that consumers opt in to certain types of sharing. The CCPA defines "sale" as "the selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating . . . a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration." (Sec. 1798.140(t)(1).)
  5. New privacy policy requirements. Companies must also, prior to data collection, provide notice to consumers in privacy policies about their data practices and are prohibited from collecting additional personal information or using existing personal information collected for an additional use without notice to consumers. Companies must make it easy for consumers to facilitate the rights provided in the CCPA by describing to consumers the methods they can use to make requests of companies, covering other information in their policies and placing "Do Not Sell My Personal Information" buttons on their websites.
  6. No discrimination. Companies are prohibited from discriminating against consumers for exercising any of the rights provided for in the CCPA, including by denying goods and services, charging different prices or providing a different level of quality of their goods and services. There is an exception if the difference in price, level or quality of goods and services is reasonably related to the value provided by the consumer's data. Companies are allowed to offer financial incentives for the collection and sale of their personal information as long as they are not "unjust" or "usurious." This may enable companies to offer discounts on products or services to consumers who will allow their information to be used by, shared with or sold to third parties, but there is uncertainty regarding how the California attorney general will interpret and enforce this restriction.
  7. Impacts to already regulated companies. While the CCPA provides for certain exemptions for personal information governed by certain federal statutes (specifically the Health Insurance Portability and Accountability Act,3 the federal Fair Credit Reporting Act, the Gramm-Leach-Bliley Act and the Driver's Privacy Protection Act), those exemptions apply only to the personal information that is covered by those statutes and not to the entire company subject to them. Furthermore, some of the exemptions in the CCPA apply only to the extent that the federal law conflicts with the CCPA. While the Fair Credit Reporting Act contains provisions preempting certain types of state laws, the Gramm-Leach-Bliley Act does not generally preempt state laws affording consumers greater protections. The interplay between existing federal privacy laws and the CCPA will require a detailed analysis, and many companies will need to consider their compliance with the CCPA even if they already comply with sector-specific federal data privacy laws.
  8. Enforcement by the attorney general. The CCPA is enforced by the California attorney general and any person, business or service provider found in violation of it could be penalized up to $7,500 per incident. The CCPA requires the attorney general to provide the entity with written notice of the violation along with a 30-day period to address the non-compliance.
  9. Private right of action. In addition to enforcement by the California attorney general, the CCPA provides California consumers with a limited private right of action in connection with a breach of non-encrypted or non-redacted personal information resulting from a violation of reasonable security practices and procedures. The CCPA requires that, before proceeding with a lawsuit, a consumer must give the company 30 days' notice to cure the violation, as well as provide notice to the California attorney general, who will decide whether to bring charges themselves or let the consumer proceed.
  10. Future changes. Future amendments and clarifications to the CCPA are likely. Lawmakers in California are expected to amend the law before its effective date on January 1, 2020. The ability of lawmakers to make such amendments through the regular legislative process was a key reason why industry gave its support to the state legislature passing the CCPA within only a week of its introduction since, by doing so, the lead sponsor of the November ballot initiative agreed to its withdrawal ahead of the June 28 withdrawal deadline. The November ballot initiative could not have been similarly amended through the regular process had it been passed into law. Separately, the statute also instructs the California attorney general to develop and adopt regulations ahead of the effective data in a number of specific areas identified in the CCPA that are necessary to further the purposes of the CCPA. Providing the California attorney general with rulemaking authority could ultimately provide greater protections to consumers and more stringent obligations on covered businesses.


1. Defined in the CCPA as an entity "that processes information on behalf of a business and to which the business discloses a consumer's personal information for a business purposes pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purposes other than for the specific purpose of performing the services specified in the contract for the business..."

2. While Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act broadly addresses consumer access and portability of certain financial information, no implementing regulations were issued.

3. However, the text of the CCPA misidentified HIPAA as the Health Insurance Portability and Availability Act.

Originally published 10 July 2018

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2018. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
In association with
Practice Guides
by Mondaq Advice Centers
Relevancy Powered by MondaqAI
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions