The law’s complex requirements kick in regardless if a company doesn’t deal directly with consumers. The law concerns companies that conduct business in California and includes out-of-state companies that sell to California. The law can also include businesses that profit from services like payment processing or website hosting.
Companies are under the law if they have worldwide revenue above $25 million, or collect and receive California consumers’ personal information of 50,000 or more.
The law was passed by the California Legislature in June 2018 and aims to protect consumers from having their information sold without their knowledge or consent.
Consumers the right to know what personal information companies collect from them, the California law says. ”Under a key provision, companies must give consumers the option to have their information deleted from databases,” the law said.
The law covers a wide range of data including names, addresses, Social Security and passport numbers, email addresses, internet browsing histories, purchasing histories, personal property and health information, professional or employment information, educational records and information from GPS apps and programs.
The California statute takes effect Jan. 1, however, enforcement won’t begin until July 1. Big Tech has faced a number of inquiries growing as lawmakers have been focused on competitive practices and efforts to ensure data privacy and protection.
One key state law that is in place, and which help inform other laws, as has been reported, exists with the California Consumer Privacy Act, which in turn can be traced to the General Data Protection Regulation (GDPR) mandated by the European Union.