California Consumer Privacy Act: win-win or GDPR parody?

U.S. lawyers called June 28, 2018 an outstanding date in the history of personal data protection legislation in the United States. This day, California Governor Jerry Brown signed the California Consumer Privacy Act 2018 (hereinafter referred as “Privacy Act”).

The law shall enter into force on January 1, 2020, but right now the U.S. legal community is actively discussing the consequences that it could have. What is so special about this Act, why it receives so much attention and how it differs from GDPR? Let’s deal with everything step-by-step.

Who is considered to fall under the scope of Privacy Act?

First of all, it clearly defines data subjects as individuals. Compared to the GDPR, which may apply to companies according to the number of special conditions, Privacy Act provides a narrower circle of data subjects reducing it solely to individuals.

Individuals mean the residents of California who can be identified by any unique identifier. Definition “identifier” applies almost to everything: unique electronic device code, cookies, IP address, unique nickname or individual`s personal number, phone numbers, etc. It is stated that the list is not exhaustive. Thus, hypothetically, any information that can help identify the person may be counted as such an identifier.

On the other side Privacy Act puts companies that process personal data.

Such companies include California-based sole proprietorships, partnerships, LLCs, corporations, associations, and any other legal entities that are created or operated in order to gain profit and that collect personal information personally or on behalf of their customers and that alone or jointly with others companies determine the purposes and means of processing of such information. Also, these companies must meet at least one of 3 criteria under:

  • Annual gross income more than $25 million;
  • individually or jointly with others annually buys, receives for business purposes, sells or shares for commercial purposes, individually or jointly, the personal information of at least 50,000 consumers, households or devices;
  • Receives 50 percent or more of its annual revenue selling its consumer`s personal information.

In addition, they also include any organization that controls the abovementioned companies either have the same branding. Compared to the GDPR, which applies to both controllers and operators, the scope of legal entities under the Privacy Act is limited to controllers only.

Therefore, the scope of the California Consumer Privacy Act is narrower with respect to data subjects that are related to the processing of personal data.

What personal data does the Privacy Act protect?

According to the provisions of Privacy Act, personal information is an information that identifies, relates, describes, is capable of being associated with or may reasonably be related directly or indirectly to a particular data subject or household.

Personal information includes, but is not limited to:

  • Identifiers such as real name, nickname, mailing address, any other unique personal identifier, IP address, email address, account name, social security number, driver’s license number, passport number etc.;
  • any categories of personal information, such as insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information;
  • race, color, gender, age (40 and over), religion, national origin, disability, nationality status, genetic information, marital status, sexual orientation and self-identification, health status, infectious diseases, military or veteran status, political belief or affiliation, status of victim of domestic violence, assault or harassment;
  • commercial information, including records of personal property, products or services purchased, received or viewed, or other purchase or consumption histories;
  • biometric information;
  • information regarding internet- or any other type of social activity, including, but not limited to, browsing history, search history, and information about a person’s interaction with a website, app, or online advertisement;
  • geolocation data;
  • audio, electronic, visual, thermal, olfactory or any similar information;
  • professional or employment-related information;
  • education information, which is defined as not generally accessible personally identifiable information;
  • conclusions drawn from any information identified in this section to create a consumer profile that reflects his/her consumer preferences, characteristics, psychological tendencies, preferences, inclinations, behaviors, attitudes, intelligence, abilities and inclinations.

The category of personal information does not include publicly available information which means information lawfully owned by the competent authorities. Information is not counted as publicly available if it is: biometric information collected by a company about a person without his knowledge; data that is located in the public domain or that is used for a purpose incompatible with the its collection and storing purposes; information that is deidentified or compatible with the data subject’s information.

Taking this into account, we may conclude that the category of personal data under the Privacy Act is much detailed than under the GDPR. Such characteristic should be taken as a strong side as it at the same time clearly defines the scope of the definition and leaves it possible to allocate “other information” into this category.

What rights are given to data subjects?

The California Consumer Privacy Act grants data subjects a wide range of rights. For example, data subjects will have the right to require companies that collect personal information to:

  • disclose to the data subject the categories and specific types of data collected by the company;
  • delete any personal information about the data subject that the company has collected about him/her;
  • reveal to the data subject:
  • categories of data collected by the company about the data subject;
  • categories of sources from which such data are collected;
  • business or commercial purpose for collecting or selling such data;
  • categories of third parties with whom the company shares this data;
  • specific pieces of personal data collected by the company;
  • the right to require the company that sells a data subject`s personal information or discloses it for business purposes disclose to that person:
  • category of personal information the company collects about the data subject;
  • categories of personal information of the data subject that was sold by the company and the categories of third parties to whom such information was sold;
  • categories of personal information of the data subject that the company disclosed in order to achieve business goals;
  • not to sell the information to a third party (from a company that sells personal information to a third party).

As we may see, the volume of data subjects` rights under the Privacy Act is, in fact, similar to one under the GDPR. Thus, we can conclude that the Privacy Act strongly protects the rights of data subjects.


Analyzing the previsions of the Privacy Act in a whole, we should to pay attention to the fact that the California Consumer Privacy Act is a “win-win” and a huge step forward regarding the protection of personal data in the United States. Although the Privacy Act will only extend to the territory of California, U.S. lawyers emphasize that other states most likely will support this trend and adopt their own personal data protection acts.

According to U.S. lawyers, those companies that already have conducted a GDPR-compliance will have significant advantages over those companies that have not. The trend for personal data protection is going up and it is not expected to end in the nearest future.

Therefore, we recommend you to follow the changes as well as review your policies and procedures in order to ensure that your business meets up-to-date legal requirements.

    Your question to IT lawyers