Pardon the Interruption, but…US Jurisdictions Enact Data Protection Laws Reminiscent of GDPR

July 02, 2018

US legislatures are following the European Union’s lead for defining data protection. California just passed a sweeping new consumer data protection law, giving California consumers more control over how their personal data is used by businesses operating in California, and providing for civil damages and fines against businesses that violate the law’s personal data protection requirements.

The California Consumer Privacy Act of 2018 (California Act) was introduced on June 21 by California State Assembly Member Ed Chau and State Senator Robert Hertzberg, and was quickly signed into law on June 28 by California Governor Jerry Brown. The California Act preempts a stricter consumer data protection ballot initiative that was set for the November 2018 California ballot. With the enactment of the new California Act, that ballot initiative has been withdrawn as part of a negotiation between California lawmakers and Alastair Mactaggart, the San Francisco real estate developer responsible for launching the initiative.

Right-to-Know and Right-to-Be-Forgotten

While not as strict as Mactaggart’s initiative, the California Act grants California consumers[1] “right-to-know” and “right-to-be-forgotten” data protections—hallmarks of Europe’s recently enacted General Data Protection Regulation (GDPR). Specifically, under the California Act, businesses operating in California[2] must, at the consumer’s request, tell consumers what type of personal data is being collected, why that personal information is being collected, and if personal data is being shared with or sold to a third party. Businesses also are required to delete any personal information at the request of the consumer and to give consumers the ability to opt-out of the sale of their personal information to third parties.

Penalties for Noncompliance

Civil relief for the unauthorized disclosure of personal data under the law is capped at a $750 fine per consumer per incident or to actual damages (whichever is greater). Civil penalties for intentional violations, imposed by the California Attorney General, are capped at $75,000 per violation (however, fines are only imposed on businesses that fail to cure violations within 30 days of notification).

Covered Businesses

While the law is expansive in its consumer protection elements, it only applies to larger businesses that meet one or more of the following three criteria:

  1. Gross revenue exceeding $25 million
  2. Personal information of 50,000 or more California consumers or households is maintained
  3. 50% or more of annual revenue comes from selling consumers’ personal data

The law provides time for covered businesses to prepare for its enactment, as its requirements will not be imposed until January 1, 2020.

US Early Response to GDPR also Seen in Chicago

The California Act can be seen as early US response to Europe’s GDPR, as American citizens call for similar personal data protection. For instance, in April, a wide-ranging personal data protection city ordinance (Personal Data Collection and Protection Ordinance) was introduced in Chicago. If passed, the ordinance would impose GDPR-like restrictions on data brokers, website operators, online service providers, mobile phone retailers, and mobile application owners operating within the city. Specifically, the Chicago ordinance would require website operators to obtain an opt-in consent from Chicago residents before they could use, disclose, or sell a resident’s personal information. It would also require mobile device retailers to provide notice about location service functionality, and would prohibit mobile applications from collecting, using, or disclosing geolocation information without obtaining affirmative express consent from the user. And it would require data brokers (defined as commercial entities that collect, assemble, and possess personal information about Chicago residents who are not their customers or employees) to register with the city and provide the city with annual reports about the collection and use of personal data.


It is clear from the text of these new laws that lawmakers, activists, and private citizens around the United States are watching Europe intently and working to provide US citizens with more control over their personal data. Companies that process and use personal data as part of their business will need to follow suit.


If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:

Tess Blair
Vincent M. Catanzaro
Sarah Moran

[1] “Consumer” is defined in the act as a natural personal who is a resident in California.

[2] The act defines “business” as an entity that collects or processes or "determines the purposes and means of processing" consumers’ personal data that does business in the State of California.