September 21, 2020

Volume X, Number 265

September 21, 2020

Subscribe to Latest Legal News and Analysis

September 18, 2020

Subscribe to Latest Legal News and Analysis

California Passes the California Consumer Privacy Act of 2018

What’s Happening?

On June 28, 2018, Governor Jerry Brown signed a new privacy law that will allow California residents to exercise more control over the personal information companies collect on them and impose new penalties for noncompliance. The law is a first of its kind in the United States and is similar in some ways to Europe’s new General Data Protection Regulation (GDPR). The law will go into effect January 1, 2020, allowing companies time to prepare and adjust their business practices.

Known as the California Consumer Privacy Act of 2018 (AB 375), the law is a legislative response to a successful ballot initiative campaigned by the interest group “Californians for Consumer Privacy.” Once approved for the November ballot, lawmakers moved quickly to craft legislation that offers a more measured approach to consumer privacy than the ballot initiative. As drafted however, the law hews relatively close to the ballot initiative, prompting Californians for Consumer Privacy to withdraw their proposal. Lawmakers anticipate this law will be amended in the run-up to 2020 to further harmonize business interests and consumer protections.

What Does the Law Do?

The law gives consumers additional control over their personal information and new rights they may exercise with companies collecting their personal information. For example, the law provides for all of the following:

  • Required Disclosures. The law will require new disclosures regarding consumer personal information. For example, a business may be required to disclose the purposes for which it collects or sells personal information, the categories of personal information that it collects, the sources from which that information is collected, and the categories of third parties with which the information is shared.

  • Consumer Rights. The law grants consumers new rights similar to the GDPR’s data subject rights. Consumers will be able to request, for example, deletion of personal information from a business upon the business’ receipt of a verified request.

  • Limited “Opt-Out” Discrimination. The law will prevent a business from charging a consumer who “opts-out” of disclosing personal information a different price, or providing a different quality of service, unless the difference is reasonably related to value provided by the consumer’s data. 

  • Enforcement Mechanisms. The law gives new enforcement powers to the Attorney General for noncompliance and a private right of action to individuals in connection with certain unauthorized access and exfiltration, theft, or disclosure of a consumer’s non-encrypted or non-redacted personal information, making it easier for individuals to sue companies after a data breach.

  • Penalties. The law provides that any person, business, or service provider that intentionally violates the law may be liable for a civil penalty of up $7,500 per violation. The law will also allow recovery of damages in a private right of action for an amount not to exceed $750 per incident or actual damages, whichever is greater.

  • Restricted Sale of Personal Data. The law will curb the sale and resale of personal data by third parties who receive personal data from a business, unless the disclosing business has given consumers explicit notice and the opportunity to “opt-out.”

  • Age Restrictions. The law will prevent the sale of personal information of a consumer under the age of 16, unless affirmatively authorized through an “opt-in.” For individuals under the age of 13, parental consent will also be required.

  • A Definition of “Personal Information.” The law defines “personal information” with reference to a broad list of characteristics and behaviors, personal and commercial, as well as inferences drawn from this information. The concept is much broader than the traditional United States understanding of personally identifiable information, bringing it closer to the GDPR definition of “personal data.”

What Should I Do?

If your business collects consumer personal information, whether for marketing purposes or in the course of providing your products or services, now is the time to reevaluate your privacy practices. While January 1, 2020 is more than a year away, achieving compliance early can save your business from costly enforcement actions. Privacy laws are rapidly changing across the globe. To be sure your business is in compliance with the law, whether now in effect or coming soon, it is critical to work with experienced counsel to evaluate your risk exposure.

© Polsinelli PC, Polsinelli LLP in CaliforniaNational Law Review, Volume VIII, Number 180


About this Author

Jarno Varno, Privacy Attorney, Polsinelli Law FIrm

Jarno Vanto's strengths lie in his ability to intimately understand each client’s specific industry technology and his awareness of the complex international environment. His extensive international experience allows him to provide a differentiated perspective to clients on privacy, cyber security, intellectual property, and corporate matters. 

Bryan Reece Clark Kansa City Attorney at  Polsinelli law firms Privacy and Data Security Law Practice

On November 6, 2017, Reece Clark joined Polsinelli’s Privacy and Data Security practice. He has worked in industries ranging from healthcare to banking, and telecommunications to retail. His areas of focus include cyber-security, technology, and venture capital casework. Mr. Clark served as Executive Editor of Iowa Law Review while attending Iowa College of Law, he also received his M.B.A., cum laude, Rockhurst University, 2013, Management, and B.A., cum laude, Rockhurst University, 2011, Economics, Political Science.

Areas of Focus

  • Privacy and Data Security
  • Technology
  • Venture Capital


  • J.D., with distinction, University of Iowa College of Law, 2017, Executive Editor of Iowa Law Review
  • M.B.A., cum laude, Rockhurst University, 2013, Management
  • B.A., cum laude, Rockhurst University, 2011, Economics, Political Science; Delta Sigma Pi Business Fraternity

Bar Jurisdictions

  • Missouri, 2017
  • Kansas

Court Admissions

  • The State of Missouri, 2017
Steven Hengeli, Polsinelli Law Firm, Kansas City, Data Privacy Attorney

With a background in computer programming, Steven Hengeli takes a problem-solving approach to privacy, data security, and technology transactions. He aims to provide practical legal advice, taking into consideration not only the legal risks involved, but the business impact. Steve uses his technology background to assist clients in the software, Internet-of-Things, and medical device industries build privacy and security into their products. 


Prior to joining Polsinelli, Allison spent several years serving as in-house counsel to privately held and publicly traded companies that operated in highly regulated industries including health care and financial services. While in-house she served on a variety of executive-sponsored strategic planning committees tasked with implementing initiatives such as information technology transformation, business process improvement, and compliance with the EU’s General Data Protection Regulation (“GDPR”). Allison’s experience working closely with business leaders influences her...

L. Hannah Ji, Polsinelli Law Firm, St. Louis, Technology and Cybersecurity Law Attorney

Hannah Ji is dedicated to understanding each client’s business model, practices, and objectives to help them protect and profit from their investment in a variety of technologies. She utilizes her experience to advise a wide variety of industries including global manufacturers, health care conglomerates, sourcing providers, retail companies, and global online businesses. Hannah frequently represents clients on privacy and data security, trademark, copyright, and various intellectual property matters. 

Her practice also focuses on: