In June, California passed a consumer privacy law that could affect many organizations conducting business in the state.

The law, which has been likened to the European Union’s GDPR regulations, gives California consumers the right to know what personal information a business has collected about them, including where it was sourced from and how that information is being used.

Consumers also have the right to opt out of having their information sold, the right to delete their information, and the right to receive equal service and pricing even if they exercise their privacy rights.

To comply, businesses will need to provide a specifically worded opt-out link on their home page and provide at least two ways for consumers to submit disclosure requests, including a toll-free phone number. Businesses will have 45 days to disclose their data sharing practices following a consumer request.

The act is slated to go into effect in 2020 and will apply to for-profit businesses that collect and control California residents’ personal information and meet any one of the following criteria:

• have annual gross revenues greater than $25 million;
• buy, receive, sell or share personal information of 50,000 or more California consumers annually; or
• derive 50 percent or more of their annual revenues from selling consumers’ personal information.

Though this means that most small businesses will not have to comply, the International Association of Privacy Professionals (IAPP) estimates that more than 500,000 U.S. businesses will be affected by the privacy law.