On June 28, 2018, California Governor Jerry Brown signed the California Consumer Privacy Act of 2018 (“CCPA”), a groundbreaking law that signals a shift in the data privacy regime in the U.S. and likely will require significant changes to businesses’ data protection programs. On September 23, 2018, Governor Brown signed into law SB-1121, which makes limited substantive and technical amendments to the CCPA. SB-1121 takes effect immediately, and delays the California Attorney General’s (“AG’s”) enforcement of the CCPA until six months after publication of the AG’s implementing regulations, or July 1, 2020, whichever comes first.

Key provisions of the CCPA include:

  • Applicability. The CCPA will apply to any for-profit business that (1) “does business in the state of California”; (2) collects consumers’ personal information (or on the behalf of which such information is collected) and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information; and (3) satisfies one or more of the following thresholds: (a) has annual gross revenues in excess of $25 million, (b) alone or in combination annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households or devices, or (c) derives 50 percent or more of its annual revenue from selling consumers’ personal information (collectively, “Businesses”).
  • Definition of Consumer. The CCPA defines “consumer” as a natural person who is a California resident.
  • Definition of Personal Information. Personal information is defined broadly as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
  • Right to Know. Upon a verifiable request from a consumer, a Business must disclose (1) the categories and specific pieces of personal information the business has collected about that consumer; (2) the categories of sources from which the personal information is collected; (3) the business or commercial purposes for collecting or selling personal information; and (4) the categories of third parties with whom the business shares personal information. A Business that sells a consumer’s personal information or discloses it for a business purpose, must also disclose (1) the categories of personal information that the business sold about the consumer; (2) the categories of third parties to whom the personal information was sold (by category of personal information for each third party to whom the personal information was sold); and (3) the categories of personal information that the business disclosed about the consumer for a business purpose.


For reprint and licensing requests for this article, CLICK HERE.