For decades, US state legislatures have taken an incremental approach to privacy regulation, passing legislation that addressed specific privacy issues (eg, a host of employee privacy laws, online privacy policy requirements, SSN privacy) but rejecting bills proposing broad-based creation of new privacy rights.

This pattern changed abruptly this week in California, where both houses of the legislature hastily passed the California Consumer Privacy Act of 2018 (AB 375), a long and confusingly drafted bill that would enshrine in California law a significant number of data subject rights found in the GDPR. Although this law does not take effect for 18 months and could change, it is a major development that companies should study carefully and develop plans for.

Our colleagues Jim Halpert and Andrew A. Kingman explain this major development in privacy law, click here for the full article.