Everything You Need to Know About California’s New Consumer Privacy Act

Post Date: 06/29/2018
feature image

Were you caught off guard by the California Consumer Privacy Act of 2018 because you weren’t preparing for the GDPR? Learn how to take your first steps with our free webinar, “How to Use APIA as Part of the Tech Ecosystem for GDPR Compliance.” 

In what is likely one of the most significant changes to the privacy landscape in North America in recent years, the California state legislature has passed AB 375, the California Consumer Privacy Act of 2018.

This new law is without a doubt the strictest privacy bill in US history. While the law will not come into effect until January 1, 2020 (and could potentially be amended before its implementation date), the impact on companies will likely be immediate.

The California law provides new rights for consumers that are in many ways quite similar to rights granted to European residents under the recently-implement European General Data Protection Regulation (“GDPR”).

The class of protected consumers under this law is so broad that the benefits will reach far beyond California’s borders. The law defines “a consumer,” as “a natural person who is a California resident,” which in turn is defined as “(1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose.

These rights include the right to request a record of the type of data that an organization holds about them, how the organization is using that data (in a business context), and with whom the organization is sharing that data. This closely mirrors the individual right granted under GDPR of the “Data Subject Access Request.”

Significantly, organizations will be required to fully disclose third parties to whom they “sell data” and consumers will have the ability to object to that sale. Companies that do sell data will be obligated to explicitly create easy mechanisms for consumers to request that their data “not be sold.” In turn, companies will not be able to discriminate against users based on that choice (although companies may offer different levels of “paid services” so long as they are reasonable).

Finally, consumers will have a full right to request that their data be erased (with very limited exceptions).

Companies subject to this law include all for-profit entities that either:

  1. Do $24 million in annual revenue
  2. Hold the personal data of 50,000 people, households, or devices
  3. Do at least half of their revenue in the sale of personal data.

Another point of great significance is: “the bill provides a private right of action in connection with certain unauthorized access and exfiltration, theft, or disclosure of a consumer’s nonencrypted or nonredacted personal information.”

So, what does this mean to your organization? The good news is that if you had already started working on your GDPR program, you’ve likely gotten a nice head start on implementing the necessary policies, procedures and technical controls that you will need to have in place.

First and foremost, know your data and know your employees! Understand the data that is held within your organization. Every organization has sensitive data. customer information, employee records, intellectual property, medical records, you name it. To appropriately protect it, you must understand the life cycle of data in your business.

Determining what the data is, how the data is being created or collected, how it is maintained, stored and shared while it is being used, and how it should eventually be disposed of are the key steps toward implementing better practices that will protect these valuable assets.

Once security practitioners understand the original source of the data, they can best decide where it should live, with whom it can be shared, how it can be accessed, and how it should be destroyed.

Only when you understand your data can you then implement practical and operational policies that delineate between “work-related data and personal data”

To protect information appropriately, owners and their IT teams must understand the lifecycle of data in their businesses. Only by knowing where your data lives will you be able to respond to consumer requests under the California Consumer Privacy Act.

For any new developments with the Consumer Privacy Act of 2018, be sure to subscribe to our blog!


Dana Louise Simberkoff is the Chief Risk, Privacy and Information Security Officer at AvePoint. She is responsible for AvePoint’s privacy, data protection, and security programs. She manages a global team of subject matter experts that provide executive level consulting, research, and analytical support on current and upcoming industry trends, technology, standards, best practices, concepts, and solutions for risk management and compliance. Ms. Simberkoff is responsible for maintaining relationships with executive management and multiple constituencies both internal and external to the corporation, providing guidance on product direction, technology enhancements, customer challenges, and market opportunities. Ms. Simberkoff has led speaking sessions at data privacy and security events around the globe. She was featured in Forbes, writes a monthly column for CMSWire, and was highlighted in the CSO Online list of “12 Amazing Women in Security”. She is a current member of the Women Leading Privacy Advisory Board and a past member of the Education Advisory Board for the International Association of Privacy Professionals (IAPP). Ms. Simberkoff holds a BA from Dartmouth College and a JD from Suffolk University Law School. LinkedIn: www.linkedin.com/in/danalouisesimberkoff/en Twitter: http://www.twitter.com/danalouise

View all post by Dana S.

Subscribe to our blog