As the home of Facebook and other tech giants, California recently found itself in the center of a data privacy firestorm. In response to this and other controversies emanating from Silicon Valley’s technology community, California enacted a far-ranging data privacy law, the California Consumer Privacy Act of 2018. Despite its California origins, however, the law could have significant effects on businesses outside of the state.
The bill has a number of important provisions. First, it imposes new rules on companies that collect a consumer’s personal information: they must disclose the information being collected to the consumer, what categories of third parties it is shared with, and the “business or commercial purpose for collecting or selling personal information.” Cal. Civ. Code §§ 1798.100, 1798.110. A business must also provide the consumer with a copy of stored personal data upon request, and honor a consumer request to delete the personal information from company records, with limited exceptions. §§ 1798.100, 1798.105. Consumers must be given an opt-out right to direct a business not to sell her information—and a business cannot “discriminate” against opt-outs by, among other things, charging them a higher price, unless collecting the data provides value to the consumer herself. §§ 1798.120, 1798.125. The law gets its teeth from a provision allowing attorney general enforcement and, in the case of data theft or unauthorized access, direct private actions by consumers for damages or injunctive relief, if the attorney general declines to bring suit. § 1798.150
The law’s geographic reach is likely to extend far beyond California’s borders. While the law limits its definition of “consumer” to California residents, its provisions apply to any business that “does business in California” if it also (i) has gross revenues over $25 million, (ii) buys, sells, or shares the information of 50,000 or more consumers, or (iii) derives 50% or more of its revenue from the sale of personal information. § 1798.140(c), (g). In short, most companies that touch California consumers are likely covered: both those that do a substantial business in data collection or sharing are covered, and any company with revenues over $25 million, even if data collection is an insubstantial part of its business. The only exception is if “every aspect of that commercial conduct takes place wholly outside of California.” § 1798.145(a)(6).
And while the law may have been drafted with tech giants like Facebook and Google in mind, nothing in its scope limits its reach to online tech companies. For example, the law will almost certainly affect any retailer that collects and stores personal information, so long as it has a website that California consumers can access—even with no physical location in California. Businesses that opt to implement an enterprise-wide privacy scheme will end up giving substantial protections to non-California residents, too.
The passage of the law could have less direct effects on New York businesses as well. One of the bill’s co-authors has been quoted as saying he “hopes other states will follow” California’s lead. Moreover, the patchwork effect of differing state laws started by the passage of California’s recent bill could spur the federal government to action. California’s new law goes into effect on January 1, 2020, so it won’t be long before we find out whether the state is an outlier, or just ahead of the curve.