California threw down the proverbial gauntlet last night and enacted a sweeping new digital privacy law aimed at giving the state’s consumers more control over their personal information.

Other states – notably New York – have passed tough sector specific data security regulations but the California Consumer Privacy Act of 2018 or CCPA applies broadly to businesses that collect personal information about California consumers.  Following loosely in the footsteps of Europe’s General Data Protection Regulation, the California law sets specific parameters on how businesses collect, store, and use consumers’ personal data.  The new law gives consumers the right to know what information companies are collecting about them, why they are collecting the information and if it is shared with third parties.  It also provides that, upon a consumer’s request, companies must delete their information or not share it with other organizations.

Notably, certain personal information covered by sectoral specific laws such as protected healthcare information or personal information under the Gramm Leach Bliley Act is excepted from the law’s requirements.

The CCPA was fast-tracked through the legislature as an alternative to a ballot initiative spearheaded by a Bay Area real estate developer who saw a need for comprehensive data security legislation.  The ballot initiative received significant opposition from the Silicon Valley tech industry, which eventually supported the new law.

Although the law does not go into effect until January 2020, it will create significant new restrictions and obligations for companies that collect and store information about California consumers. We’ll take an in-depth look at the law’s impact on businesses early next week.