Privacy Law

California law gives consumers new rights to prevent collection and sale of online data

  • Print.

data privacy

Titima Ongkantong /

A new data privacy law in California will give consumers the right to obtain data collected about them, the right to request deletion of the data, and the right to direct a business not to sell the information to third parties.

California Gov. Jerry Brown signed the bill into law Thursday, one week after it was introduced. The law takes effect in January 2020, report Ars Technica, the New York Times, the San Jose Mercury News, USA Today and Fortune.

The sponsor of a ballot initiative with tougher protections pulled the measure within hours of a withdrawal deadline.

The New York Times calls the law, the California Consumer Privacy Act, one of the most significant regulations of data collection in the United States. USA Today says the law is the nation’s toughest for online privacy protection, and it could serve as a model for other states.

The bill requires companies to disclose personal data collected when a consumer requests it, up to two times a year, and to delete and stop selling the personal information to third parties upon request.

It also prevents businesses from selling personal information about minors to third parties, unless the parent of a minor less than 13 affirmatively authorizes the sale, or the minor between the ages of 13 and 16 opts in to the sale.

Businesses can’t discriminate against consumers who exercise their rights under the law by denying them service, charging them different prices or providing a different level of quality. But businesses can offer financial incentives for collecting and selling information, and may offer differing prices that are directly related “to the value provided to the consumer by the consumer’s data.” (A Ropes & Gray analysis sees that wording as ambiguous.)

A consumer whose data is hacked is entitled to recover statutory damages of up to $750 in a civil suit when companies fail maintain reasonable security procedures—if certain steps are followed. Consumers can’t sue unless they first notify the business and the state attorney general, and the business doesn’t correct the problem in 30 days and the state attorney general does not bar the suit.

Intentional violations can bring civil penalties of up to $7,500 per violation.

The bill affects companies with California customers that gross at least $25 million a year, or interact with information to 50,000 or more people, or make more than half their revenue from selling personal information.

Give us feedback, share a story tip or update, or report an error.