Consumer data protection continues to be a focus for governments after the latest round of data breaches and Facebook allowing Collaborative Analytics harvesting of its user’s data. In a hastily crafted bill, California legislatures and the governor passed AB 375, or the California Consumer Privacy Act of 2018.

There is good reason for hardly anyone noticing this new law; it was fast-tracked through the legislative process within seven (7) days.

California Consumer Privacy Act of 2018California legislature rapidly created a consumer privacy bill in response to an initiative of a privacy ballot supported by the Alastair Mactaggart’s non-profit, Californians for Consumer Privacy. Mactaggart’s organization garnered over 637,000 petition signatures by May of this year – surpassing the required 366,000 – and began to initiate a consumer privacy ballot measure for November.

Mactaggart did agree to pull the ballot referendum if the bill was passed by legislators and signed by the governor. California legislators passed the bill and Governor Jerry Brown signed it on June 28th. The law will go into effect on January 1, 2020.

How is the bill different from GDPR?

California Consumer Privacy Act of 2018 is very similar to the GDPR. Both laws allow their citizens to have control of what businesses can and cannot do with their personal data and require notification if their personal data has been compromised in a data breach.

Where this bill differs is in who has to comply. It is designed to target larger companies, especially those in Silicon Valley. Businesses who fall into the bill’s compliance must:

  • have annual gross revenues in excess of twenty-five million dollars ($25,000,000).
  • collect, buy, or sell personal information of 50,000 or more consumers, households, or devices.
  • derive 50 percent or more of its annual revenue through the selling consumer’s personal data.

Unintended Consequences

Trade organizations have voiced their opinions of the law in two areas. The first is how elements of this bill are vague and there was a lack of public discussion.

The Internet Association – whose members include Facebook, Amazon, and Google – has stated:

“Data regulation policy is complex and impacts every sector of the economy, including the internet industry. That makes the lack of public discussion and process surrounding this far-reaching bill even more concerning.”

The CTIA, who represents the wireless telecommunication industry, cited they would prefer to see U.S. Congress passing legislation instead of each individual state.

“State-specific laws will stifle American innovation and confuse consumers,” CTIA said in a Yahoo article.

Will other states follow the same pathway as California in setting their own privacy law, or because of the cost and breadth to implement such laws, will it become a de facto standard like California emission laws have been to the automobile industry?

Automakers only design cars with California emission controls because they are the strictest of all emission controls. It is not cost effective to build cars based on each state’s emission control laws. The same could apply with the privacy laws.

Real Estate Implications

GDPR has already influenced most real estate firms, MLSs, and technology partners who must comply with having policies, practices, and procedures in place to handle an EU citizens request. Following the same GDPR practices for California citizens, and the possibility of others to come, the approach for businesses to become or remain compliant should be the same.

As with the GDPR, the California Consumer Privacy Act of 2018 will see modifications from now until it goes into effect on January 1, 2020. Businesses and legislators know changes will be necessary as those “unintended consequences” surface to the top.

Katherine Williams, a spokesperson for Google, stated to Yahoo Finance, “We appreciate that California legislators recognize these issues and we look forward to improvements to address the many unintended consequences of the law.”

The next steps were outlined in the WAV Group white paper, “How Europe’s New Personal Data Rule Impacts Real Estate”.

  • Develop awareness of the GDPR and California Consumer Privacy Act throughout the organization.
  • Audit and document the location of any personal data within the purview of the company.
  • Develop a roadmap to mitigate any policies, procedures or system implementation which can lead to non-compliance of the new privacy laws.
  • Assign a Data Protection Officer to advise and inform others of cyber and privacy rules. NOTE: Insurance companies are requesting to have a person designated as a Data Protection or Security Officer as a condition in providing cyber protection insurance policy to firms.
  • Establish processes on how to react to a consumer request under the new privacy laws.
    Train and repeat.

As there will be a need to modernize technology and policies, the WAV Group can continue to be a partner in providing assistance to implement new systems and processes to be GDPR and California Consumer Privacy Act of 2018 compliant. Contact Victor Lund, Marilyn Wilson, or David Gumpper to schedule some time. Firms may schedule a private WAV Group overview for their executive team or board by contacting Camilla Harvey at