This is a new law that the California AG has stated will be enforced beginning July 1, 2020.   The intent is to rein in use of California resident’s personal information by “businesses”.  Loosely, a “business” is defined as an entity (and its affiliates) operating in California that either (i) has $25 Million of revenue, (ii) traffics in at least 50,000 identities a year, or (iii) derives at least 50% of its revenue from trafficking in identity information. Four principles cited as the basis of the law are a consumer’s “right to know” what data is collected, a “right to delete” their information, a “right to opt out” of sale (or licensing) of their information and the “right to non-discrimination” by price or services from business arising from the consumer exercising these rights.   This requires utilizing two “designated methods” to provide notice and for customers to use as contact information to make data privacy requests. These can include requests to have their data disclosed to them and/or purged within 45 days, and to “opt out” of the sale of their data.   This suggests that customer data should be maintained in a database where each specific customer’s data can be individually selected for removal based on the customer’s opt-in/out flags.  There are regulations around providing informed consent in connection with offering financial incentives to customers in order to induce waiver of their rights and a requirement to maintain records about privacy requests in order to confirm compliance.  Nonetheless, there are a set of broadly worded exemptions related to internal use by the business, for example, R&D, product/service improvement, and system maintenance. Call us if you have any questions.