California Consumer Privacy Act of 2018

July 10, 2018 Alerts and Newsletters


On June 28, a new law took effect in California that gives California residents greater control over the collection and processing of their personal information. The law, called The California Consumer Privacy Act of 2018 (the "Act"), incorporates principles similar to those in the European Union's General Data Protection Regulation (GDPR), which took effect in May of this year. Businesses collecting personal information of California residents should assess their obligations under the Act and take any necessary steps to ensure compliance before the Act takes effect on January 1, 2020.

History and Posture

The California legislature quickly drafted and passed the Act during the last week in June in an effort to forestall a more consumer-friendly ballot initiative from going to the polls in the November election. The ballot initiative was approved by California voters in June, but it was subsequently withdrawn following the passage of the Act due to a compromise between the California legislature and the ballot initiative's sponsors. It is expected that the Act will be further amended by the California legislature and interpreted by agency regulations. Although the major pillars of the Act are settled, a number of provisions still require further clarification.

Key Requirements Under the Act

As currently written, the Act requires certain businesses (described in more detail below) to disclose information to consumers about the personal information they collect, including the sources from which the information is collected, the purposes for collecting the information, and the third parties with whom the information is shared.

The Act defines "personal information" broadly to mean "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." It includes traditional identifiers like names and addresses, as well as commercial and biometric information, browsing and search history, geolocation data, and any "[i]nferences drawn from any information . . . to create a profile about a customer reflecting the consumer's preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes." Suffice it to say, the term "personal information" is especially broad.

The Act provides consumers the right to request that their personal information be erased. In most instances, businesses must comply with a consumer's request to erase his or her personal information.

Consumers also have a right under the Act to opt out of the sale of their personal information, and the Act prohibits businesses from discriminating against consumers who choose to do so. However, businesses may charge consumers a different price or provide different quality goods or services when consumers opt out if "that difference is reasonably related to the value provided to the consumer by the consumer's data." There is considerable ambiguity surrounding this exception, and we expect more information to be released clarifying its meaning.

Importantly, the Act also creates a private right of action for consumers in some circumstances in the event of unauthorized access to or disclosure of their personal information, and the Act provides for statutory damages that could amount to more than actual damages. However, the Act only applies to the personal information of California residents, so this private right of action is limited.

To Whom the Act Applies

The Act applies to any business that collects California residents' personal information and (i) has annual gross revenues over $25 million; (ii) buys, receives, sells, or shares the personal information of 50,000 or more consumers; or (iii) derives fifty percent or more of its annual revenues from selling consumers' personal information. The Act does not apply to entities covered by the California Confidentiality of Medical Information Act or the Health Insurance Portability and Accountability Act (HIPAA).

For further information on how Verrill Dana can assist with your business's compliance with the Act before its effective date on January 1, 2020, please reach out to your regular Verrill Dana attorney.

This communication is intended for general information purposes and as a service to clients and friends of Verrill Dana, LLP. This publication, which may be considered advertising under the ethical rules of certain jurisdictions, should not be construed as legal advice or a legal opinion on any specific facts or circumstances, nor does it create attorney-client privilege.

Firm Highlights


Multi-Site Global Research

Developed and negotiated site and coordinating center agreements in connection with a multi-site, international, National Institutes of Health (NIH)-funded study, and advised on regulatory issues related to the conduct of the study and subsequent...


Verrill Welcomes Health Care Attorney Alicia Siani

(February 2, 2021) – Verrill is pleased to welcome health care attorney Alicia Siani to the firm’s Boston, Massachusetts office. Siani represents clients in a wide range of regulatory issues, including HIPAA privacy matters...


Verrill Welcomes Jeffrey A. Smagula, Experienced Health Care and Life Sciences Attorney, Former Health Plan Compliance Executive

(May 12, 2021) – Verrill is pleased to welcome Jeffrey A. Smagula to the firm’s Boston office as Counsel in its nationally recognized Health Care & Life Sciences Group. Jeff Smagula brings to Verrill...


Fraud and Abuse Investigations Handbook for the Health Care Industry, Second Edition.

Health care attorney Paul Shaw co-authored Fraud and Abuse Investigations Handbook for the Health Care Industry, Second Edition with Robert Griffith, published by the American Health Law Association (AHLA). Paul and Robert provide legal...


European Union GDPR—Institution

Counseled a preeminent health system and academic medical center on its compliance with the European Union General Data Protection Regulation (GDPR) in relation to its clinical and research activities, including its international research studies...


Massachusetts Health Care Bill Makes Several Significant Changes

While you were celebrating the New Year, Governor Baker signed Chapter 260 of the Acts of 2020, an “Act promoting a resilient health care system that puts patients first,” the result of the Legislature’s...


Common Rule

Guided multiple clients through the implementation of the revised HHS regulations (the "Common Rule"), including reviewing and revising policies and procedures, and assisting with institutional approaches to implementation.


The Regulatory Sprint is Over - What’s at the Finish Line Under the New Stark and AKS Final Rules?

The U.S. Department of Health and Human Services (HHS) completed its “Regulatory Sprint” by finalizing changes to regulations pertaining to two federal fraud and abuse laws. On December 2, 2020, the Centers for Medicare...


HHS Confirms Providers’ Right to 340B Discount Pricing for Contract Pharmacies

As a holiday gift to providers, the U.S. Department of Health and Human Services (HHS) General Counsel recently issued a strongly worded Advisory Opinion indicating that federal law requires drug manufacturers to deliver covered...


Conflicts of Interest

Reviewed medical center's systems, policies and procedures for identifying, assessing, and managing investigator and institutional conflicts of interest.

Contact Verrill at (855) 307 0700