At the end of June, the California legislature passed its Bill 375, the California Consumer Privacy Act of 2018. The Act contains a number of concepts that would be familiar to those who are working to bring their companies and organizations into compliance with GDPR. The new law defines a category of “Personal Information” that radically departs from a traditional definition of Personal Data commonly found in various State Data Privacy Laws, which usually ties an individual name to other identifiers like social security number, account number, or other factors. Instead, the California Act defines “Personal Information” as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. It does not, mercifully, include publicly available information, but it still comes closer to a GDPR-like definition of “personal data” than any other US law.
The Act provides California residents some rights that also appear familiar. For example:
- Consumers can request a copy of all the Personal Information a business has collected;
- Consumers have the right to request that the business delete their Personal Information (subject to some exceptions), and a right to direct a company to not share their Personal Information with third parties; and
- Consumers can request that a business disclose the categories of information it has collected, the sources of information, the purpose for the collection and/or its sale of the information, and the third parties with whom the information is shared.