Press "Enter" to skip to content

California Enacts Consumer Privacy Act of 2018

On June 28, California passed into law the California Consumer Privacy Act of 2018, which becomes operative on Jan. 1, 2020. As with the EU’s General Data Protection Regulation, the Privacy Act gives consumers greater control over the use and sharing of their personal information.

The Privacy Act allows a consumer to request that a business disclose:

  • the categories and specific pieces of personal information that it collects about the consumer;
  • the categories of sources from which that information is collected;
  • the business purposes for collecting or selling the information;
  • the categories of third parties with which the information is shared; and
  • the specific pieces of personal information it has collected about the consumer.

A consumer may request similar information with respect to personal information that a business sells to third parties, and a consumer may instruct a business not to sell her or his personal information.  Such businesses must include a link on their homepage titled “Do Not Sell My Personal Information.”

A consumer may also request deletion of any of her or his personal information the business has collected.  However, a business is not required to comply with a deletion request under certain circumstances including, but not limited to, when the personal information is necessary to:

  • complete the transaction for which the personal information was collected;
  • enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business;
  • comply with a legal obligation; and
  • use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.

Additionally, the Privacy Act is specifically inapplicable in a number of instances, including with respect to information that is deidentified or aggregated, information to or from a consumer reporting agency pursuant to the Fair Credit Reporting Act, information disclosed pursuant to the Gramm-Leach-Bliley Act, and information disclosed pursuant to the Driver’s Privacy Protection Act of 1994.

The Privacy Act provides consumers a private right of action in the event of the theft or disclosure of nonencrypted or nonredacted personal information resulting from a failure to maintain reasonable security measures.  The Privacy Act allows for injunctive relief and damages of $100 to $750 per consumer per incident or actual damages, whichever is greater.  Prior to initiating an individual or class action, a consumer must provide the 30 days’ notice to the business to cure the violation.

A business may seek the opinion of the Attorney General on how to comply with the provisions of the Privacy Act.  Violations may result in civil penalties of up to $2,500 per violation pursuant to Cal. Bus. & Prof. Code § 17206, or up to $7,500 per violation for intentional violations.

Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, where he provides counsel to consumer financial services firms nationwide. For many years, he has focused his practice on various aspects of financial services law. As a litigation attorney, he has conducted every aspect of the litigation process, including countless depositions, motion proceedings, bench and jury trials, and appeals in various courts. In addition, he has significant experience as a compliance and transactional attorney, providing strategic, business growth, legislative, compliance and regulatory advice to national corporations and trade associations. For example, he has drafted consumer contracts and disclosures designed to state-specific statutory requirements, and developed “Best Practices” guides and state-by-state compliance grids, for national financial services companies. He also conducted research and crafted a metrics report for a national trade association with analysis designed to counter the claims of advocacy groups. Eric’s experience also includes working for a national corporation as Executive Counsel, Chief Compliance and Ethics Officer, and Director of Legislative Affairs, and as a federal lobbyist and Director of Government and Public Affairs for a national financial services trade association. In the government sector, Eric presided over approximately 6,000 state administrative hearings, served as a staff attorney for the Missouri Senate, and handled litigation in 33 counties as a regional managing attorney. Eric frequently speaks to audiences on topics relevant to the financial services industry including regulatory compliance, data privacy law and related advocacy initiatives. For more information, see

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.