May 25, 2020

May 22, 2020

Subscribe to Latest Legal News and Analysis

The California Privacy Law Is Coming: What Should Your Company Do Now?

As has been widely reported, California’s new privacy regime is set to come into effect on January 1, 2020. The law constitutes an expansion beyond California’s existing privacy laws, in particular California’s existing Shine the Light Law and the California Online Privacy Protection Act. Various provisions of the new law will apply to businesses with annual total revenue greater than $25 million (not just in California), that obtain or share for commercial purposes the personal information of 50,000 or more, or that get 50% or more of their revenue from selling or sharing PII. The law was passed quickly to avoid a similar voter-initiative ballot measure, and as a result has several ambiguities and apparent inconsistencies. It is therefore very likely that the law will be changed by amendment, and clarified through rules and regulations, before it comes into effect in 2020. 

In the meantime, though, it is useful to look at what the law, as currently drafted, will require. The law has been compared to GDPR, and referred to as the US’s first “GDPR” law. There are many differences between GDPR and this California law, however. For example, the California law does not require companies to appoint a Data Protection Officer, to create records of processing, or to seek opt-in consent to online tracking.  From a practical perspective, for companies already following California’s existing privacy laws, some of the main differences under the new law will be (1) allowing consumers to opt-out of the sale of their personal information to third parties, (2) for getting opt-in consent before selling PII of those under 16, (3) telling people -if they ask- what information the company has collected about them, how it was collected, why, and if it has been shared or sold (as opposed to the current Shine the Light requirement that companies simply tell people if such sharing occurs (disclosure obligations are lessened if an opt-out or an opt-in exists)), (4) the introduction of “data portability” and deletion measures; and (5) having a privacy policy for offline information collection (the current law requires this only for online collection).

Companies can begin to think about how they would implement these measures, and follow what we anticipate will be further developments in the legislation itself and clarifying regulations issued to help companies address the requirements. In addition, also worth watching is the law’s treatment of private rights of action. The law does not contain a private right of action for violation of any of the disclosure or individual rights provisions, but it does provide a private right of action for consumers whose information has been compromised in a data breach resulting from inadequate security measures (subject to the California Attorney General taking over such action).  This essentially codifies the concept of negligence in California data breaches and, by imposing statutory damages ($100-$750), may largely affect the pleading and proof of damages in data breach cases, which is often the issue of greatest dispute.

Putting it Into Practice: While the California Consumer Privacy Act will almost certainly change before it comes into effect in January 2020, companies may want to begin thinking about some of the core new provisions in that law. In particular, how to respond to consumer information and deletion requests. We will continue to monitor this law and anticipate that further details about compliance will be forthcoming from California, as well as potential modifications to the law itself.

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.


About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...


Craig Cardon serves as Co-chair of Sheppard Mullin’s Privacy & Data Security Group and as the International Liaison for the firm’s China offices. Craig is a partner in the Entertainment, Technology and Advertising and the Intellectual Property Groups in Sheppard Mullin's San Francisco and Century City offices.

Areas of Practice

Craig enjoys a broad advertising, privacy and ecommerce focused practice. He primarily represents brands, retailers, ad agencies, ad networks and other business involved in advertising, marketing and the data associated with it.  

Brian D. Anderson, Intellectual Property, Attorney, Sheppard Mullin, Law firm

Brian D. Anderson is an associate in the Intellectual Property Practice Group in Sheppard Mullin's San Francisco and Palo Alto offices. He is a member of the Entertainment, Media, and Technology Industry Team.

Areas of Practice

Brian enjoys a broad intellectual property and commercial transactions, corporate, advertising and privacy and data security practice.

He focuses his practice on structuring and negotiating intellectual property and technology deals, such as...

Rachel Hudson, Lawyer, Sheppard Mullin, Intellectual Property Practice Group

Rachel Tarko Hudson is an associate in the Intellectual Property Practice Group in the firm's San Francisco office.

Areas of Practice

Rachel advises clients in the retail, technology, media, and other industries in online and mobile e-commerce transactions and vendor agreements, intellectual property licensing, commercial and development agreements, and other transactional matters. She assists clients in complying with domestic and international privacy laws, clearing advertising campaigns, conducting contests and sweepstakes promotional initiatives, and...

Shanna Pearce, Sheppard Mullin, San Diego, litigation, class action, intellectual property, IP, copyrights, false advertising, commercial litigation, lanham act, unfair competition

Ms. Pearce represents businesses in the areas of intellectual property and commercial litigation, from trademark and copyright matters to consumer class actions. She has represented Fortune 500 companies in complex actions involving allegations of copyright violation, breach of contract, fraud, and unfair business practices. She has also defended retailers and financial institutions in class actions alleging violations of statute and federal laws relating to false advertising, unfair competition, pricing practices, and lending disclosures. Ms. Pearce’s litigation...