California Consumer Privacy Act: victory or under-GDPR?
U.S. lawyers marked June 28, 2018 as a remarkable date in the history of the development of personal data protection legislation in the United States. On this day, California Governor Jerry Brown signed the California Consumer Privacy Act 2018 (the “Regulations”).
The law is not scheduled to go into effect until January 1, 2020, but already now the U.S. legal community is actively discussing the consequences that its enactment may entail. What is so special about this Act, why is it in the spotlight, and how does it differ from GDPR? Let’s take it one step at a time.
Who is affected by this Regulation?
First of all, the Regulation clearly states that the subjects of the data are natural persons (ordinary people). Compared to the GDPR, whose rules can apply to companies in a number of special conditions, the Regulation narrows the range of data subjects, reducing it exclusively to natural persons.
The individuals who will be affected by these innovations include individuals who are residents of the State of California and can be identified by any unique identifier. Such identifiers include practically everything: unique code of an electronic device, cookies, IP-address, unique alias or number of a person, telephone numbers, etc. It states that the list is not exhaustive, meaning that, in theory, any information that could help identify a person could be such an identifier.
On the other side of the barricades, the California Consumer Privacy Act puts companies that process personal data.
These companies include California-registered sole proprietorships, partnerships, LLCs, corporations, associations and any other legal entities that have been created or operate for profit and that collect personal information personally or on behalf of their consumers and that, alone or jointly with other companies, determine the purposes and means of processing such information. Also, such companies must necessarily meet at least one of three criteria:
Annual gross revenues in excess of $250,000,000;
Alone or in conjunction with others, buys, obtains for commercial business purposes, sells or shares for commercial purposes, alone or in conjunction, personal information of at least 50,000 consumers, households or devices each year;
Receives 50 percent or more of its annual revenues from the sale of consumers’ personal information.
It also includes any entity that controls or shares branding with the above companies. Compared to the GDPR, whose provisions apply to both controller companies and operator companies, the scope of entities under the Regulation is limited to controllers only.
Thus, the scope of the California Consumer Privacy Act is narrower with respect to data subjects related to the circulation of personal data.
What personal data does the Regulation protect?
Under the provisions of the Regulation, personal information is information that identifies, relates to, describes, is capable of being associated with, or can reasonably be associated directly or indirectly with a particular data subject or household.
Conclusions
To summarize, the California Consumer Privacy Act is a “victory” and a truly great step forward in the protection of personal data in the United States. Despite the fact that the Regulation applies only to the State of California, the lawyers say that, with high probability, other states will support this trend and adopt their own acts.
According to American lawyers, those companies which have built their privacy policies in accordance with the GDPR requirements will, in the coming years, have a significant advantage over those who have not. The trend of personal data protection is gaining momentum and its decline is not expected in the near future.