1 January 2020 saw the introduction of the California Consumer Protection Act, a new data protection law in California, the toughest data privacy law in the US to date.
What importance does this have in the US and outside the US?
It is a California-based law but as California is typically seen as the trend-setter for new US legislation, it seems very likely we can expect other states to follow suit with similar legislation.
As a California-based law, it affects businesses “doing business in California” (“doing business“ is defined as operating for profit), that collect consumers’ (being California residents) personal information, and determine the purposes and means of the data collection and processing.
The legislation does NOT require the business to be established in California, therefore it will apply to a business registered or established outside the state and even outside the USA, if the business “does business” in California and collects personal data from California residents.
Is it basically the same as the GDPR?
Yes and no; some principles are the same, for example the intention is clearly to give consumers some protection from the unfettered collection and ongoing distribution of their data and to establish a requirement for informing consumers about the use to which their personal data might be put. The California Act also allows consumers to opt out of certain uses and guarantees the consumer some minimum rights (such as a right to information and access to data records held on them). The California Act also requires a privacy notice to be prepared by affected businesses.
However, in its detail, the act is quite different to the GDPR.
For example, the California Act applies only to businesses operating for profit – so that not-for-profit enterprises, such as charities, are not affected. The California Act also applies not only to data identifying individual consumers but also “households” so that, for example, the data identifying a computer terminal or a mobile device that is linked to a household, may constitute personal data (while under the GDPR it is a living individual (not a household) that must be identifiable).
The California Act distinguishes between collecting data, processing data and selling data but does not give a precise or exhaustive list of what constitutes “personal data” – and equally there is no special status for certain categories of data considered especially sensitive under the GDPR (and defined in the GDPR as “special category data”).
Finally, some of the information requirements and compliance deadlines are quite different, so that privacy notices will need to contain additional wording to be compliant with the California Act even if they are compliant with the GDPR. So, whilst GDPR sets a global ‘gold standard’ for data protection, the California Act will require action to be taken by international businesses that operate in the USA, the EU and the UK.
For more information on data protection, please contact Georgia Shriane of the Commercial and Technology team on [email protected]