Publications & Podcasts

California Consumer Privacy Act of 2018

July 10, 2018 Alerts and Newsletters


On June 28, a new law took effect in California that gives California residents greater control over the collection and processing of their personal information. The law, called The California Consumer Privacy Act of 2018 (the "Act"), incorporates principles similar to those in the European Union's General Data Protection Regulation (GDPR), which took effect in May of this year. Businesses collecting personal information of California residents should assess their obligations under the Act and take any necessary steps to ensure compliance before the Act takes effect on January 1, 2020.

History and Posture

The California legislature quickly drafted and passed the Act during the last week in June in an effort to forestall a more consumer-friendly ballot initiative from going to the polls in the November election. The ballot initiative was approved by California voters in June, but it was subsequently withdrawn following the passage of the Act due to a compromise between the California legislature and the ballot initiative's sponsors. It is expected that the Act will be further amended by the California legislature and interpreted by agency regulations. Although the major pillars of the Act are settled, a number of provisions still require further clarification.

Key Requirements Under the Act

As currently written, the Act requires certain businesses (described in more detail below) to disclose information to consumers about the personal information they collect, including the sources from which the information is collected, the purposes for collecting the information, and the third parties with whom the information is shared.

The Act defines "personal information" broadly to mean "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." It includes traditional identifiers like names and addresses, as well as commercial and biometric information, browsing and search history, geolocation data, and any "[i]nferences drawn from any information . . . to create a profile about a customer reflecting the consumer's preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes." Suffice it to say, the term "personal information" is especially broad.

The Act provides consumers the right to request that their personal information be erased. In most instances, businesses must comply with a consumer's request to erase his or her personal information.

Consumers also have a right under the Act to opt out of the sale of their personal information, and the Act prohibits businesses from discriminating against consumers who choose to do so. However, businesses may charge consumers a different price or provide different quality goods or services when consumers opt out if "that difference is reasonably related to the value provided to the consumer by the consumer's data." There is considerable ambiguity surrounding this exception, and we expect more information to be released clarifying its meaning.

Importantly, the Act also creates a private right of action for consumers in some circumstances in the event of unauthorized access to or disclosure of their personal information, and the Act provides for statutory damages that could amount to more than actual damages. However, the Act only applies to the personal information of California residents, so this private right of action is limited.

To Whom the Act Applies

The Act applies to any business that collects California residents' personal information and (i) has annual gross revenues over $25 million; (ii) buys, receives, sells, or shares the personal information of 50,000 or more consumers; or (iii) derives fifty percent or more of its annual revenues from selling consumers' personal information. The Act does not apply to entities covered by the California Confidentiality of Medical Information Act or the Health Insurance Portability and Accountability Act (HIPAA).

For further information on how Verrill Dana can assist with your business's compliance with the Act before its effective date on January 1, 2020, please reach out to your regular Verrill Dana attorney.

This communication is intended for general information purposes and as a service to clients and friends of Verrill Dana, LLP. This publication, which may be considered advertising under the ethical rules of certain jurisdictions, should not be construed as legal advice or a legal opinion on any specific facts or circumstances, nor does it create attorney-client privilege.

Firm Highlights


Verrill Welcomes Health Care Attorney Sarah V. Ferranti

Sarah V. Ferranti

38 Verrill Attorneys, Across Four Offices, Recognized in 2020 Chambers & Partners Guide

(April 27, 2020) – Verrill has been rated as a Leading Firm in a total of ten categories and subcategories as evaluated by London-based Chambers & Partners , one of the world's most respected...


Multi-Site Global Research

Developed and negotiated site and coordinating center agreements in connection with a multi-site, international, National Institutes of Health (NIH)-funded study, and advised on regulatory issues related to the conduct of the study and subsequent...


Michael K. Fee to Lead Verrill’s Health Care and Life Sciences Defense Practice

(January 22, 2020) – Verrill is pleased to welcome Michael K. Fee to the firm’s Boston office as a Partner in its nationally recognized Health Care & Life Sciences Group and as the leader...


Conflicts of Interest

Reviewed medical center's systems, policies and procedures for identifying, assessing, and managing investigator and institutional conflicts of interest.


European Union GDPR—Institution

Counseled a preeminent health system and academic medical center on its compliance with the European Union General Data Protection Regulation (GDPR) in relation to its clinical and research activities, including its international research studies...


FDA Updates its Guidance on Conducting Clinical Trials During COVID-19 Public Health Emergency

On April 16, 2020, the U.S. Food & Drug Administration (“FDA”) again updated its guidance on the “Conduct of Clinical Trials of Medical Products during COVID-19 Public Health Emergency,” adding seven new questions and...


OHRP Issues Guidance on the Conduct of Research During COVID-19 Public Health Emergency

The U.S. Department of Health & Human Services Office for Human Research Protections (“OHRP”) issued guidance , dated April 8, 2020, on the application of Common Rule requirements to research being conducted during the...


Updated FDA COVID-19 Guidance for Conduct of Clinical Trials

On March 27, 2020, the U.S. Food & Drug Administration (“FDA”) updated its prior guidance on the “ Conduct of Clinical Trials of Medical Products during COVID-19 Pandemic ,” with an appendix adding a...


Due to COVID-19, Federal Agencies Relax Requirements Regarding the Provision of Telehealth Services

In the past few days, in an effort to help keep Medicare beneficiaries healthy during the COVID-19 pandemic, key federal agencies within the U.S. Department of Health and Human Services (“HHS”) and the U.S...