California to vote on ‘GDPR-like’ privacy law

California will soon vote on a proposed privacy law that would give individuals more control over the way organizations collect and use their data.

The California Consumer Personal Information Disclosure and Sale Initiative would give residents the power to request that organizations:

  • Provide any stored personal information pertaining to them
  • Disclose how they obtained the information
  • Refrain from selling or disclosing their personal information

The proposed bill would also “allow consumers to sue businesses for security breaches of consumers’ personal information or for other violations of the initiative’s provisions.”

The initiative will be voted upon on November 6, 2018, requiring the equivalent of 5% of signatures from ballots cast in the preceding gubernatorial election to pass.

Who will be affected?

The initiative has drawn comparisons to the EU General Data Protection Regulation (GDPR), the vast privacy law that affects all organizations across the globe that collect EU residents’ personal data. California’s proposed law is naturally smaller in scope, but it will still have major repercussions.

For a start, the proposed initiative would apply to every organization that uses California residents’ personal data. The state is home to more than one in eight US residents, meaning there’s a good chance that any organization that operates across state lines will be subject to the law. International organizations that service US customers are also likely to be affected.

There’s also the potential influence of the bill to consider. California is renowned for its strict data protection standards, and many organizations have adopted the state’s laws as a matter of best practice. This is often beneficial in the long run, as bills passed in California have often been replicated by other regulators.

For example, in 1972, California was one of the first states to enshrine the right to privacy in its constitution. Thirty years later, it became the first state to require organizations to publicly disclose data breaches. It’s currently the only state that mandates that digital service providers post a privacy policy—although this is also a requirement of the GDPR, and is expected to become a norm in the next few years.


It’s yet to be known whether California’s initiative will be passed, but right now organizations have enough to worry about with the GDPR taking effect on 25 May 2018. If you’re among the many US organizations subject to the Regulation, it’s imperative that you and your staff are fully aware of the requirements you need to meet.

There’s an awful lot of information out there, but given that time is of the essence, you might benefit from a crash course in the form of our Certified GDPR Foundation and Practitioner Combination Course.

This course takes you from a GDPR beginner to an expert in five days. You’ll be guided through the Regulation by an experienced data protection practitioner, who’ll explain:

  • The background to the Regulation and its terminology
  • The six data protection principles
  • Data subjects’ rights
  • How to secure personal data
  • How to report data breaches
  • The role of the data protection officer
  • How to conduct data protection impact assessments
  • How to transfer personal data outside the EU
  • The responsibilities of supervisory authorities

You can take this course in person (in Boston, June 11-15, 2018) or via our real-time Live Online training sessions.

GDPR training