This article appears in the Fall 2018 magazine issue of DOCUMENT Strategy. Subscribe.

©2018 DOCUMENT Strategy

In late June, just a few hours before heading home for the summer, the California legislature passed AB 375, the California Consumer Privacy Act of 2018. As a result of its passage, Alastair Mactaggart, the man behind a November ballot initiative to pass a similar law, agreed to pull his bill from the ballot.

Now we have what industry insiders are calling CaCPA (say “kack-pa”), and it ensures that the landscape for consumer privacy in the United States will never be the same again.

In a news conference held to celebrate the bill’s passage and signature by Governor Jerry Brown, Assemblymember Ed Chau, who leads the California Assembly’s Privacy Committee, called the bill a “historic step” for California consumers, “giving them control over their personal data.” The law, he said, “forges a path forward to lead the nation once again on privacy and consumer protection issues.”

While there is still time for the bill to be amended before it comes into force on January 1, 2020 (Editor's Note: Already, we have seen an amendment passed by the California legislature in the form of SB 1121, which was signed by Governor Brown on September 23, 2018), the major components of the CaCPA would make it so:
  • Consumers have the ability to request a record of what types of data an organization holds about them, including information about how the business uses their data and the sharing of that data with any third party.
  • Businesses will have to have a verification process in place so consumers can prove their identity when making a request for their personal information.
  • Consumers have a full right to erasure, with carve-outs for completion of a transaction, research, free speech, and some internal analytical use.
  • Organizations will have to disclose to whom they sell data, and consumers will have the ability to object to the sale of their data. Businesses will have to put a special "Do Not Sell My Personal Information" button on their websites to make it easy for consumers to object.
  • The sale of children's data will require express opt in, either by the child, if between ages 13 and 16, or by the parent, if the child is younger than 13.
  • Organizations cannot "discriminate against a consumer" based on exercising any of the rights granted in the bill. For example, a business can't provide a different level or quality of service based on a consumer objecting to the sale of their data. However, organizations could offer higher tiers of service or product in exchange for more data as long as they're not "unjust" or "usurious."
  • A covered business is defined as any for-profit entity that either earns $25 million in annual revenue; holds the personal data of 50,000 people, households, or devices; or earns at least half of its revenue in the sale of personal data.
  • The law would be enforced by the Attorney General and would create a private right of action for unauthorized access to a consumer's "nonencrypted or nonredacted personal information." Failure to address an alleged violation within 30 days could lead to a $7,500 fine per violation (which could be per record in the database, for example).
  • The law protects any "consumer," defined as a "natural person who is a California resident," which includes "(1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose."
In an analysis conducted by our research team at the International Association of Privacy Professionals (IAPP), we predict the law will affect a conservative estimate of 500,000 companies in the United States alone. Clearly, many businesses around the world that do business with California residents will be affected as well.

Of course, this begs the question, “Who won’t be affected?” Those businesses that fall under the Health Insurance Portability and Accountability Act (HIPAA) are not covered by this bill, so healthcare establishments can remain focused on HIPAA.

(Editor's Note: Additionally, the SB 1121 also exempts medical information governed by the Confidentiality of Medical Information Act or the Health Information Technology for Economic and Clinical Health Act as well as personal information collected, processed, or disclosed in accordance with the Gramm-Leach-Bliley Act or the California Financial Information Privacy Act.)

In addition, the bill defines a “business” as one that is “organized or operated for the profit or financial benefit of its shareholders or other owners,” which may be intended to exclude non-profits. This may be clarified later.

Finally, the law stipulates that one has to “do business in the state of California.” There’s a possibility that merely selling things to people who live in California via the Internet, but not having a physical presence there, might exclude a business from this law’s jurisdiction. However, considering the recent ruling by the Supreme Court of the United States on sales tax collection, that’s doubtful.

Finally, there is a wild card looming: The passage of CaCPA has a lot of organizations worried that many other states will follow with their own privacy legislation, forcing companies to deal with 50 different privacy frameworks. That would be very difficult indeed. Thus, there is an effort underway to get a federal privacy law off the ground that would pre-empt CaCPA. We may see that introduced before the end of the year.

Then, the US privacy landscape would change all over again.

Sam Pfeifle is the Content Director at the International Association of Privacy Professionals (IAPP). Contact Sam at or visit