California’s ‘GDPR-like’ privacy law passes: What you need to know

Last month, California lawmakers passed one of the toughest privacy laws in the US.

The California Consumer Privacy Act of 2018 gives residents the power to request that organizations:

  • Provide any stored personal information pertaining to them
  • Disclose how they obtained the information
  • Refrain from selling or disclosing their personal information

The legislation, which will go into effect in January 2020, has naturally been compared to the recently enacted EU GDPR (General Data Protection Regulation). Both give individuals more control over their personal data, restrict what organizations can do with data, and give regulators the power to fine non-compliant organizations.

Those that are already GDPR-compliant will only have to make adjustments to meet the requirements of California’s new law. However, other organizations will need to overhaul their data protection practices to fall in line with a new era of strict cybersecurity regulations.

Didn’t go to a vote

California was originally set to vote on a similar ballot initiative, but disagreements over its requirements led to the last-minute creation of the slightly less strict California Consumer Privacy Act, which went from draft to law in one week.

The new proposal was still highly divisive, but its detractors, including tech organizations such as Google, Facebook, and Verizon, decided that the legislation was the better of two bad options.

Meanwhile, the New York Times reported that legislators who voted for the bill had little choice but to support the alternative, since “a ballot measure would provide less flexibility to make changes in the future.” That’s because the measure included a provision that would have required a 70% majority in both houses of the legislature to approve any changes after it became law.

Who will be affected?

The California Consumer Privacy Act will naturally be smaller in scope than the GDPR, but that’s not to say it won’t have major repercussions.

For a start, the legislation applies to every organization that uses California residents’ personal data. The state is home to more than one in eight US residents, meaning there’s a good chance that any organization that operates across state lines will be subject to the law. International organizations that service US customers are also likely to be affected.

There’s also the potential influence of the law to consider. California is renowned for its strict data protection standards, and many organizations have adopted the state’s laws as a matter of best practice. This is usually beneficial in the long run, as laws passed in California have often been replicated by other regulators.

How you can prepare

Although the law doesn’t take effect until 2020, which sounds a long way off, it will take time to implement the necessary changes. You’d therefore benefit from getting started as soon as possible. The swiftness with which the law passed means there’s little specific information currently out there to help you comply, so you should consider turning to the GDPR.

The GDPR covers cybersecurity best practices comprehensively, and knowledge of its requirements has become essential for any professional working in the industry. The similarities to the California Consumer Privacy Act mean that GDPR expertise can be transitioned over to the new law.

You can begin to get to grips with the Regulation by taking a look at our GDPR compliance checklist and watching our webinar: Why should North American organizations comply with the GDPR?

This webinar will take place on Tuesday, July 24, 2018 at 1:00 pm (EDT). If you can’t make the presentation, it will be available to download from our website, where you can also browse our previous webinars.

GDPR webinars