Following closely on the heels of the EU’s General Data Protection Regulation (GDPR), California recently enacted its own consumer privacy law called the California Consumer Privacy Act of 2018 (CCPA).

The law, which requires protection of personal information of California residents, was passed in June and then amended in late September. Merchants and payment processors will be affected by the CCPA, even those that are not based in California. Businesses will need to think closely about what types of data they collect and how they store and transmit such data. They will also need to establish processes for dealing with consumer requests.

Below are some key provisions:

1. The law protects the personal information of consumers, defined as natural persons who are residents of California.
2. It gives consumers the right to know what types of personal information are being collected, and whether personal information is sold or disclosed and to whom.
3. It authorizes consumers to opt-out of the sale of personal information to third parties.
4. It allows a consumer to request a copy of the specific pieces of information collected and an explanation of the business purposes for which they are used.
5. It gives consumers the right to request the deletion of personal information collected.
6. It requires businesses to provide equal service and pricing with respect to privacy, which means a business cannot charge a different price to a consumer who opts out.
7. For individuals under 16, the CCPA requires an opt-in regime rather than opt-out. So the sale of such an individual’s personal information would require affirmative consent.
8. The law applies to companies that conduct business in California, collect consumer personal information, and satisfy the following:
   1. Annual gross revenue exceeds $25 million; or
   2. Buys, sells, or shares/receives for commercial purposes (alone or in combination) personal info of 50,000 or more consumers, households, or devices; or
   3. Derives 50% or more of annual revenue from selling consumer personal information.
9. The law becomes effective on July 1, 2020.

Personal information is defined broadly, encompassing many types of personal, professional, educational, and commercial information, biometric and geolocation data, as well as any inferences drawn from such information to create a consumer profile “reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”

The law also introduces a private right of action against business in certain circumstances involving unauthorized access, theft, or disclosure of personal information that is stored in the nonredacted or nonencrypted form.

Merchants and payment processors would be well advised to examine the law, determine its effect on their operations, and prepare well ahead of the effective date in 2020.