Earlier this year, Governor Jerry Brown signed the California Consumer Privacy Act (CCPA), also
known as AB 375. The new law, which takes effect January 2020, follows on the heels of GDPR
and will be the strictest data privacy law in the United States.
The legislation had made its way quickly to the State Assembly and the Senate, and was passed
by both without any opposition. Lawmakers were under pressure to pass the bill in order to avoid
an even more aggressive initiative, sponsored by Californians for Data Privacy, that threatened to
make the November ballot.
Although the law recognizes California as one of the world’s leaders in the development of new
technology, it specifically notes that the “proliferation of personal information has limited
Californians’ ability to properly protect and safeguard their privacy,” and cites the significant role
that technology and data now plays in every day life:
“It is almost impossible to apply for a job, raise a child, drive a car, or make an
appointment without sharing personal information.”
As such, the new law is a significant attempt to empower California residents with increased
rights and greater transparency around how organizations collect, use, and manage their
With the countdown for the law to take effect in just over a year, companies are scrambling to get
their processes and policies in order. Here are 4 things you need to consider to prepare for the
January 1, 2020 deadline.
1. Will AB 375 Impact Your Business?
It is estimated the law will apply to more than half a million U.S. companies, with the vast majority
being small to mid-size businesses.
Companies worldwide will need to comply with AB 375 if they collect, use, or disclose personal
information from a California resident, and they meet any one of the following:
Have an annual gross revenue of $25 million or more; OR
Buy, sell, or share personal information of at least 50,000 consumers, households or
Derive 50% of annual revenue from selling consumers’ personal information.
The law also applies to affiliated, co-branded entities if they meet the above criteria, even if the
affiliate does not do business in California.
Another key component is that the personal information does not need to contain a name. It can
include non-identifying data like IP addresses, web browsing history, or buyer behavior.
2. How Will the Law Increase Transparency on Data Collection and Management?
The law specifically points to the Facebook’s recent Cambridge Analytica scandal as a reason for
consumers to have clearer visibility into data collection:
“In March 2018, it came to light that tens of millions of people had their personal data misused by
a data mining firm called Cambridge Analytica…As a result, our desire for privacy controls and
transparency in data practices is heightened.”
AB 375 will now require companies to provide clear information to consumers at the point of
- Categories and specific pieces of personal data collected
- Categories of sources from which the data was collected
- The business purpose for collecting or selling the data and how it will be used
- To whom the data will be disclosed
3. What Rights Will Be Given to California Residents?
In addition to consumers having the right to know what personal information is being collected on
them, AB 375 provides California residents:
- The right to know if their personal data is being sold or disclosed.
- The right to say no to the sale of their personal information.
- The right to access the information collected.
- The right to equal service and price if they exercise their privacy rights.
- The right to request the business delete any personal information collected.
- The right to opt out of having their information sold to a third party.
4. How Should You Prepare?
It’s clear with GDPR and the California Privacy Act, that every company will soon be required to
comply with stricter regulations that empower consumer rights to data privacy.
Now is the time to get company policies and procedures compliant with key checklist items:
- Develop or refine your data-mapping that outlines how data is being collected, stored and
properly disposed of.
- Review contracts with outside parties to ensure they are adhering to the latest regulations.
- Assess your pricing structure. Under AB 375, business are prohibited from discriminating or
charging consumers a different price or rate, or providing a different level of quality goods or
services, if they exercise their privacy rights.
- Review where and how you communicate your data collection policies to consumers. Ensure
policies are clearly visible at the time data is collected, such as on your website or within your
- Outline your process for responding to a consumer if he/she requests the information your
company has collected.
- Work with trusted partners to ensure compliance. Adhering to the latest regulations can be
overwhelming for any business, and the risk of a violation could put your business in
jeopardy. It is important to work with trusted industry partners who can help protect your
company and stay ahead of regulatory standards.
Avritek has extensive experience in helping companies safeguard their business against data
breaches and improper data management. For more information on how Avritek can help you
prepare for the California Consumer Privacy Act, call us at 858-715-0950.
To access the complete legislative information on AB 375, click here.