Following hot on the heels of the General Data Protection Regulation (GDPR) in Europe, Californian lawmakers have passed perhaps the strictest privacy legislation in the United States to date. In many aspects, it arguably mirrors the fundamental underpinnings of GDPR.
The Californian Consumer Privacy Act 2018 (AB 375) is set to have considerable impact on the way businesses handle data. Companies that handle a significant amount of personal information will be required to be more transparent, uphold enhanced consumer privacy rights and be subject to a regime of fines. All things that will sound very familiar to EU companies.
The Act has been hastily drafted and approved, with no time for meaningful consultation, and it’s likely to be subjected to clarifications and amendments before coming into effect on 1st January 2020. Business interest groups are highly likely to want to push for changes on the fine detail prior to full implementation.
Unsurprisingly, the tech industry had thrown its weight and money in fighting the initiative, spending millions to oppose it through a group called the Committee to Protect California Jobs. Their argument primarily being the measures would increase their liability and hurt their businesses. Facebook initially supported the opposition but pulled out in April after the Cambridge Analytica story broke.
What are the Act’s key measures?
- It will apply to For Profit companies doing business in California that collect consumer personal information, determines the purpose and means of processing and meets one or more of the following criteria:
have gross revenue of $25M; alone or in combination annually buys,
receive, sell or share the the personal information of at least 50,000 consumers (natural persons resident in California), households or devices;
derives 50% or more of annual revenue from selling such information
- It incorporates a series of consumer rights that in general cover territory familiar to those conversant with GDPR, including right of access type provisions and rights to erasure.
- Business will have to disclose, transparently, to whom they sell data and consumers must be able opt-out from such usage.
- Children’s data is subject opt-in provisions.
Although the Act as it currently stands will be subject to consultation, lobbying and subsequent amendments, it seems inevitable that the basic foundations will stand come January 2020. The question now arises as to whether a precedent has be set for other States to follow suit, in what might be a sea-change in how the United States manages data policy.
Mark Bridges, July 2018
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.