California Privacy Act v. GDPRGDPR social media image

In June 2018, the Governor of California signed AB 375, the California Consumer Privacy Act of 2018. The Act is considered by many, as GDPR-light.

The Act introduces key privacy requirements for businesses and is set to take effect January 1, 2020. It applies to businesses that do business in the state of California, collect consumers’ personal information and meets one of the following thresholds: has annual gross revenues in excess of $25 million; alone or in combination annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households or devices; or derives 50 percent or more of its annual revenue from selling consumers’ personal information.

Personal Information is defined broadly by the Act and to some extent mirrors the EU General Data Protection Regulation’s definition. Covered businesses must disclose the categories and specific pieces of personal information collected, the categories of sources from which personal information is collected, the purposes for collecting or selling personal information, and the categories of third-parties with whom the business disseminates personal information. Additional provisions include, without limitation, certain information sharing disclosures, opt-out mechanisms, enhanced privacy notices, special rules for minors, deletion rights and data security requirements.

So, how does the new California Consumer Privacy Act 2018 stack up against the GDPR when it comes to the handling of personal information?

For starters, the scope of both extends beyond their respective jurisdictions. The GDPR is structured upon the roles of controllers, processors and data subjects. The Act, upon “businesses,” “service providers,” “third-parties” and “consumers.” Consult with an experienced marketing and advertising lawyer to discuss the various legal regulatory nuances of these concepts and how they may impact your business.

As indicated above, “personal data” is defined expansively by the Act. The Act defines personal data as information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” It provides numerous examples of information that should be considered personal data, from IP addresses and cookies, to beacons, pixel tags and things that can be used to recognize a data subject. Arguably, the Act’s definition is broader than the definition of personal data under the GDPR.

Perhaps the most significant difference between the two laws is that the Act does not contain internal data processing principles.

Various rights conferred upon California residents are similar to the GDPR, such as the right to access personal data. Both laws are enforced by a governmental authority. However, the Act creates a limited private right of action, whereas the GDPR does not impose the same limitations.

The Act and the GDPR are both similar and different. Both, however, mandate independent and deliberate data privacy compliance assessments.

The California Attorney General recently announced a handful of rulemaking workshops for the California Consumer Privacy Act of 2018. They will be open to the public and are anticipated to take place in various cities during the early part of 2019.

If you are interested in learning more about domestic or international data privacy and cybersecurity trends, please email the author at Follow him on Facebook at FTC defense lawyer.

Richard B. Newman is a digital advertising attorney at Hinch Newman. He is a member of the International Association of Privacy Professionals.

Attorney advertising. Informational purposes only. Not legal advice.