For any company that has assets in California or handles Californians’ personal information, California’s new Consumer Privacy Act of 2018 will likely have a significant impact on core business operations. Gov. Jerry Brown signed off on this sweeping legislation on June 28—just before the deadline to prevent an even more restrictive initiative from being locked into the November California ballot.   

The act borrows heavily from a broad range of existing, global privacy and consumer protection rules and regulations. It is a privacy melting pot, expanding on existing California rules, including the Online Privacy Protection Act (CalOPPA), Shine the Light, and the so-called Internet Eraser law, and flavored heavily with EU General Data Protection Regulation (GDPR) style data-ownership and control rights, hints of the Illinois Biometric Information Privacy Act (BIPA), Vermont’s recently passed data broker law, and the Children’s Online Privacy Protection Act (COPPA), and nods to various industry best-practice guidance (e.g., FTC’s Data Broker Report; DAA self-regulatory guidelines for online behavioral advertising).