In 2018, California enacted the most comprehensive privacy law in the US, the California Consumer Privacy Act of 2018 (CCPA).  The CCPA applies to any for-profit entity that handles data from California residents and meets one of the following three criteria: (i) has an annual gross revenue of more than $25 million; (ii) processes the personal information of 50,000 or more California individuals, households, or devices annually; or (iii) derives 50 percent or more of its annual revenue from “selling” consumers’ personal information.1

Key requirements of the CCPA include:

  • informing consumers about the categories of information collected, and the purpose of collecting it;
  • allowing consumers to opt out of any “sale” of personal information;
  • disclosing the categories, sources, business purpose, and specific pieces of information collected about a consumer;
  • providing specific notice to consumers on every Internet web page where personal information is collected; and
  • responding to consumer requests to delete personal information – and directing third parties to do the same.2

The CCPA goes into effect on January 1, 2020, though no enforcement action will be brought until July 1, 2020 or six months after the California Attorney General promulgates its final regulations, whichever is sooner.3

In addition to the CCPA, California law imposes a number of obligations on companies that collect information from California residents.  For example, the California Online Privacy Protection Act (CalOPPA) requires websites that collect personally identifiable information to conspicuously post and comply with a privacy policy.  Companies that do business in California must be sensitive to and ensure compliance with these laws.4


Cal. Civ. Code § 1798.140(c).

Id. § 1798.100 et seq. 

3 Id. § 1798.185(c).

See Cal. Bus. & Prof. Code §§ 22575-22579.

You are currently offline.