New California Privacy Law Allows Consumers to Opt Out of Sale of Personal Info

SACRAMENTO, CALIFORNIA (June 28, 2018) - If you do business in California, including via the Internet, there are new privacy provisions that become effective January 1, 2020. The California Consumer Privacy Act of 2018, which originated as A.B. 375, was signed into law June 28. It gives the consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information and the categories of third parties with which the information is shared.

The law also would authorize a consumer to opt out of the sale of personal information by a business and would prohibit the business from discriminating against the consumer for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data. The law would grant a consumer the right to request deletion of personal information and would require the business to delete upon receipt of a verified request, as specified.

The law applies to California companies as well as organizations doing business in California, but one important difference from Europe’s GDPR is that the regulations only apply to large corporations and associations. To be regulated under the new law, an organization must meet any one of these three requirements: 

  • has annual gross revenues exceeding $25 million;
  • sells personal information for 50,000 people or more annually; and
  • derives 50 percent or more of its annual revenues from selling personal information.

Another difference is that under GDPR, fines and penalties for data misuse are not insurable. In California, however, insurance policies that cover data misuse and breaches are legal, so companies should consider updating both their data handling policies and insurance contracts.

Click here to see all provisions of this law.