California Enacts GDPR-Like Privacy Changes by Richard B. Newman, July 10, 2018 On the heels of Colorado’s new cybersecurity legislation, California has now announced that it has enacted the California Consumer Privacy Act of 2018. The legislation provides residents of California the right to: be informed about the personal information that is collected about them; be informed whether their information is sold to third-parties and who those third-parties are; limit the sale of their personal information to third-parties; be provided with access to their personal information; and be provided with the right to delete their personal information. Importantly, the new law adds the following categories of information to the definition of personal information: records of personal property, products, or services, and “consuming histories or tendencies”; biometric data; clickstream and “other electronic network activity information”; geolocation data; consumer sensory information; professional or employment-related information; educational information not publicly available; and “inferences drawn” from personal information. “Personal information” does not include publicly available information and consumer information that is “de-identified.” Consistent with the FTC’s “Start With Security” guidance, the law prohibits the collection of information that is not “reasonably necessary.” The Act provides California’s increased control of their personal information, including the right to know categories information collected and with whom it shared. It provides consumers the right to opt-out of the transfer of their information and requires that consumer be provided with meaningful choices before their information is shared. Children under the age of sixteen must opt-in. The law will directly impact the manner by which marketers collect, store, disseminate and otherwise utilize consumer data. It mandates the development and implementation of enhanced privacy policies and disclosures, and internal processes that address consumer requests regarding the use of data, including the sale and deletion thereof. Business are prohibited from discriminating against consumers for exercising their rights by, without limitation, refusing to make available products or services. Financial incentives may be acceptable so long as they are not “unjust, unreasonable, coercive, or usurious.” Not unlike Colorado’s cybersecurity legislation, third-party management controls are required, including responsible contract provisions and the diligent vetting of the data use practices thereof. The Act is reminiscent of the European Union’s General Data Protection Regulation. It will be enforced by the Attorney General and by private right of action. State AG enforcement carries stiff penalties of up to $7,500 per violation. The new law will be effective as of January 1, 2020. You can see the new legislation and various exceptions, here. Contact a privacy and data use compliance law firm to discuss legislative trend that impact the interactive advertising community. Richard B. Newman is a regulatory litigation, investigations and compliance attorney at Hinch Newman LLP. Follow him on LinkedIn. ADVERTISING MATERIAL. Informational purposes only. Not legal advice. Always seek the advice of an attorney. Previous case results do not guarantee similar future result. Hinch Newman LLP | 40 Wall St., 35th Floor, New York, NY 10005 | (212) 756-8777. Filed under: Blue Book, Revenue Tagged under: Compliance, cybersecurity, FTC, FTC Compliance About the Author Richard B. Newman is an FTC defense lawyer at Hinch Newman LLP. He is a nationally recognized FTC defense lawyer and advertising compliance attorney. He regularly provides advertising counsel and represents clients in high-profile investigations (CIDs) and enforcement proceedings initiated by the Federal Trade Commission, state attorneys general, departments of consumer affairs, and other federal and state agencies with jurisdiction over advertising and marketing practices. Richard’s practice also concentrates upon transactional matters relating to the dissemination of national advertising campaigns, including the gamut of affiliate marketing, telemarketing, lead generation, list management and licensing agreements.