California goes GDPR (LinkedIn article / July 1, 2018)

 

With The California Consumer Privacy Act of 2018, some of the hottest topics of the GDPR will become Californian law, making the immense efforts of Californian tech companies to become GDPR compliant a little bit less of a bitter pill.

While in particular US companies are attentively observing how the General Data Protection Regulation (GDPR) changes the privacy landscape not only in Europe but in many countries around the globe, California has passed ‘The California Consumer Privacy Act of 2018’ (AB 375) in a rapid legislative action on June 28th to come into effect beginning of 2020.

It is worth taking a closer look into the “the nations toughest data privacy law” (CNN). Considering that the California privacy act – in line with the US approach to privacy – is aiming at consumer protection and is therefore not as extensive as the GDPR, there are obvious matches referring the data subject rights in the EU and future consumer rights in California.

Some outstanding parallels include:

  • The California Consumer Privacy Act of 2018 provides for the requirement of transparency which in its broadness and scope very much reminds of the GDPR.
  • Furthermore, consumers shall have the right to request a record of what types of data are collected about them, the scope of data processing as well as information on data sharing, under GDPR known as right to access.
  • Exceeding the general transparency requirements, the new California Privacy Act also provides for a data portability right and even a right to erasure, one of the most discussed requirements under the GDPR.
  • Not surprisingly, the prohibition to discriminate consumers because the consumer exercises any of the consumer’s privacy rights under the act looks familiar too.

Even more outstanding is the very broad definition of ‘personal information’ as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”, explicitly including IP addresses. Not only is this definition much broader than the usual definition of PII. It will be very interesting to see whether this definition will be interpreted like “related to an identified or identifiable natural person” of the GDPR. If so, the California act triggers a substantial widening of privacy rights.

It is obvious that The California Consumer Privacy Act 2018 directs consumer privacy into the direction the GDPR has led just a couple of weeks before. Even though one should certainly not disregard (i) the very limited scope of the act compared to the EU regulation and (ii) the still remaining substantial differences even within the overlapping scope (such as the very important opt-out principle). Nonetheless, US companies which have swallowed the bitter pill of the GDPR can now leverage some of their compliance efforts.