Legal Blog

California’s New Consumer Privacy Act: Will It Apply to Your Business?

On June 28, 2018, in a rush to avoid a ballot initiative that would have proposed even more sweeping privacy legislation, California’s governor signed the California Consumer Privacy Act of 2018 (the “Act”) into law. The Act contains broad obligations concerning how covered businesses collect, use, disclose, and delete the “personal information” of California residents. It’s not nearly as broad as Europe’s General Data Protection Regulation (the “GDPR”), but portions of the Act do resemble the GDPR’s obligations—such as the right to erasure (“right to be forgotten”).


The Act was adopted in haste and seems likely to be amended before it takes effect on January 1, 2020. Companies that put money into opposing California’s ballot initiative, such as Google, Facebook, Verizon, Comcast, and AT&T, agreed not to oppose the adoption of the Act if the ballot initiatives were withdrawn (which it was). But they also said in a statement that they will “work to correct the inevitable, negative policy and compliance ramifications this last-minute deal will create.” At the same time, some of the proponents of the ballot initiative are also not satisfied with the Act and they may lobby for amendments as well.


As it is currently written, however, the Act usually applies to businesses that meet all of these three criteria:


  1. Collect personal information from devices or people who are residents of California; and
  2. Meet at least one of these criteria: (A.) More than $25,000,000 in annual gross revenue. (B.) Personal information from 50,000 or more consumers, households, or devices. Information about Internet and other electronic network activity that is typically gathered from cookies is considered personal information, as are IP addresses. Businesses with websites that place cookies could easily accumulate information about many devices in a relatively short period of time. (C.) 50% or more of annual revenue comes from selling consumers’ personal information.
  3. Operate for profit

Information that is subject to regulation under the federal Health Insurance Portability and Accountability Act, or under the federal Gramm-Leach-Bliley Act, is also not covered.

If the Act does apply, the business must (among other things):


  • Implement reasonable security procedures and practices appropriate to the nature of the information it collects, which in effect requires inventorying of data assets (data elements, systems, software, and processes), reference to best practices for data security, deliberation, and documentation
  • Give notice to consumers of certain specific information before personal information is collected, and refrain from collecting or using the personal information for additional purposes unless further notice is given
  • Upon request and free of charge, provide consumers with the categories and specific pieces of personal information that the business has collected about the consumer, as well as the sources of collection, business purposes of processing or selling the information, and the categories of third parties with whom the business shares personal information
  • Upon request and free of charge, delete any personal information about the consumer that the business has collected from the consumer (subject to exceptions)
  • Allow the consumer to opt out of the sale of the consumer’s personal information without being charged for opting out, unless the charge is “reasonably related to the value provided to the consumer by the consumer’s data”
  • Provide training concerning the Act’s requirements for employees who handle consumer inquiries about the business’ privacy practices

Businesses have plenty of time to assess how they will be affected by the California Consumer Privacy Act of 2018 and to implement necessary changes. But it’s best not to wait too long. Unlike the adoption of the Act itself, compliance doesn’t come overnight.

Questions about this or any other privacy law matter, including GDPR?

Contact David Greber at or 240.772.5137


ABOUT DAVID GREBER | 240.772.5137

Mr. Greber has extensive legal experience in business, privacy and data protection, intellectual property, and estate planning law. He particularly thrives in engagements that make good use of his ability to cut through complexity by providing clear explanations of options and valuable advice about the merits of each choice. His mission is to be an accessible advisor, an excellent listener, a practical strategist, an effective teacher, and an efficient implementer. He holds the following International Association of Privacy Professionals certifications: CIPM (Certified Information Privacy Manager), CIPP/US (Certified Information Privacy Professional / US law), and CIPP/E (Certified Information Privacy Professional / European law).





Offit Kurman is one of the fastest-growing, full-service law firms in the Mid-Atlantic region. With over 170 attorneys offering a comprehensive range of services in virtually every legal category, the firm is well positioned to meet the needs of dynamic businesses and the people who own and operate them. Our eleven offices serve individual and corporate clients in the Virginia, Washington, DC, Maryland, Delaware, Pennsylvania, New Jersey, and New York City regions. At Offit Kurman, we are our clients’ most trusted legal advisors, professionals who help maximize and protect business value and personal wealth. In every interaction, we consistently maintain our clients’ confidence by remaining focused on furthering their objectives and achieving their goals in an efficient manner. Trust, knowledge, confidence—in a partner, that’s perfect.

You can connect with Offit Kurman via our Blog, Facebook, Twitter, Google+, YouTube, and LinkedIn pages. You can also sign up to receive Law Matters, Offit Kurman’s monthly newsletter covering a diverse selection of legal and corporate thought leadership content.