The California Consumer Privacy Act Deadline is Approaching – Time to Prepare

Print PDF

Happy New Year, everyone! This year, like last, will be an active one in the privacy and data security world. 2018 saw the implementation of the General Data Privacy Regulation (GDPR) in Europe, which resulted in a lot activity, and uncertainty that 2019 will hopefully resolve. We may not know what 2019 has in store, but we do know that 2020 will start off with an explosion – and now is the time to start getting ready.

Last year California passed the most sweeping data privacy law in the nation, and as the nation’s largest economy, nearly everyone should be paying attention. The new law will take effect January 1, 2020. The California Consumer Privacy Act has been called GDPR light, because it takes a similar approach, and will likely drive other states in a similar direction (who knows maybe Congress too). 

The Act creates four basic privacy rights:

  • The right to know what personal information is and has been collected, where it came from, what it is used for, whether it has been shared, and if so to whom.
  • The right to opt-out from the sale of personal information to a third party, and those under 16 (or their parents) must consent to such sharing.
  • The right to have their personal information deleted, with certain exceptions.
  • The right to receive equal services, even if a person exercises their rights under the Act (including opting out from data collection).

Personal information is very broadly defined to include “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The inclusion of a household is a new twist, and the Act includes a laundry list of examples of personal information. There are some exceptions for de-identified or aggregated data, but the standards are strict.

The Act puts a great deal of the compliance burden on the privacy policy, and gives the California Attorney General the power to enforce the Act and impose fines. The Act could also from the basis for negligence based privacy lawsuits as well.

Now is the time to prepare, and the Act will require substantial changes to privacy policies, changes to how data is handled, how response from consumers are handled, and agreements with service providers and vendors that handle personal information will need attention.

We are here to help, and are available to advise clients on this and any other privacy and data security matters. For more information please contact Dan Rosenberg at 612-977-8795 or