California Privacy Law Brings ‘GDPR-Lite’ to the U.S.

In what has become an ongoing race among states to have the toughest privacy regulation in the U.S., California has jumped to the front. On June 28, 2018, California’s legislature unanimously passed a privacy bill that was later signed by Governor Jerry Brown, which simultaneously strengthens privacy protections for California residents while possibly mooting an even stronger privacy bill opposed by major technology companies that was slated to be on the November ballot.

The California Consumer Privacy Act of 2018 (AB-375) mirrors some of the consumer privacy rights for EU residents that took effect in May 2018 as part of the General Data Protection Regulation (GDPR), but with significantly lower penalties than the GDPR. Under AB-375, penalties for a violation are up to $750 per person up to a maximum of $7,500 per violation.

Consumers will have the right to transparency by asking a company for a list of the “categories and specific pieces of personal information” that the company has collected about them, the categories of sources for the data, and the categories of third parties to whom it has sold the data. Consumers will also have the right to request that their personal information be deleted by the company. The bill imposes a specific opt-in to consent to the sale of data belonging to a consumer under age 16.

The Act is effective January 1, 2020, and although it is geared towards Californians, it is likely to have far-reaching consequences across various industries and in other states. It is unlikely that companies with a regional or national presence will develop processes and systems for responding to such consumer requests without rolling out such changes across the board. And because the law applies to the data of California residents, any business who does more than just a one-time transaction with a California resident will have to take notice of this new privacy regulation and prepare accordingly.


Subscribe to CSS Blog

CSS frequently publishes blog posts which are written by our team from their observations in the field, at conferences and through experiences with compliance professionals. These posts are designed to further knowledge and share industry best practices. Topics run the gamut, including Form ADV, cybersecurity, MiFID II, position limit monitoring, technology challenges and more. Complete and submit the brief form below to receive notifications when we publish new content.

Latest Content

Texas Outlaws and a Silver Bullet: Position Limits in the USA

In this first installment on position limits, Regulatory Guidance expert Greg Hotaling surveys the current landscape of position limits imposed for U.S.-listed commodity derivative holdings, which can affect investment firms and other speculative investors regardless of where they are based. Stay tuned for coverage of EU position limits in the next edition. “Who shot J.R.?!” … Continued

FAQs From the Cyber Desk

Cybersecurity is a fast-moving target, so it is not uncommon for firms to have questions when it comes to assessing and understanding their cybersecurity risks. Here at CSS we receive a lot of cybersecurity questions, so we thought we would take the time to answer 10 of the most common Frequently Asked Questions. (1) What … Continued

EU Position Limits: Born in the USA?

This is the second installment of Regulatory Guidance Expert Greg Hotaling’s blog on position limits, this time addressing EU-listed commodity derivatives and related products.  As always, keep in mind that these limits can apply to asset managers, and other market participants, regardless of where they are based. In 2009, the European Union’s first comprehensive position … Continued