• wblogo
  • wblogo
  • wblogo

California's GDPR to come into force next month

Chris Hamblin, Editor, London, 4 December 2019

articleimage

The California Consumer Privacy Act 2018, America's answer to the European Union's General Data Protection Regulation, is to come into force on 1 January. Several exemptions have been enacted in the past few months.

Amendment AB (Assembly Bill) 25 concentrates on employees, job applicants and similar types of people - a significant group of individuals with whom private banks have to deal. It helps Californian banks (and other businesses) by allowing them a moratorium on the main types of compliance in respect of information about these people. It does not abrogate their right to sue banks if they discover that they have mishandled their personal information and it still requires banks to nofity employees about the categories of information about them that they are collecting and why. The moratorium lasts until 1 January 2021, but they would not need to offer opt-out, access, and deletion rights.

On the subject of clarifying 'the meaning of 'personal' and de-identified' information, a report by the International Association of Privacy Professionals stated before the Bill became law: "Assemblywoman Jacqui Irwin’s AB 873 was approved unanimously. The bill now contains two compromise proposals. The first qualifies that personal information does not cover all “information that is...capable of being associated” with a particular individual or household, but instead information that “reasonably capable of being [so] associated.” This provision would have the effect of placing some boundary on the CCPA’s virtually limitless, CNIL-like definition of personal data, excluding information that is only theoretically capable of being associated."

The CNIL is a French privacy watchdog called the Commission Nationale de l'Informatique et des Libertés.

AB 874 (personal information definition) and AB 1146 (technical amendments) look at the kind of information that the CCPA covers. The California Assembly blog states that it "clarifies the contours of the publicly available information exception to the definition of personal information. Specifically, it eliminates the 'purpose' requirement within the exception. As a result, information lawfully made available in federal, state or local government records will be considered 'publicly available' and excluded from the definition of personal information."

Various high-value car dealers might be grateful for AB 1146, which exempts information about vehicles and their ownership that dealers keep or share for warranty or recall purposes.

AB 1564 exonerates purely online businesses from having to offer consumers a toll-free phone number.

In October Xavier Becerra, California's Attorney General, published some draft regulations in which he interprets the wording of the Act. He is legally obliged to publish the final version by 1 July next year.

The Act dicatates that every bank must give its customer the "Notice at Collection of Personal Information" at or before the time when it collects his personal information to tell him about the categories of personal information to be collected from them and the purposes for which it is going to use them. The Attorney General's regulations echo the GDPR by calling for every notice to use plain, straightforward language and avoid technical or legal jargon, use a format that draws the consumer’s attention to it, and be available in the languages in which the business provides contracts, disclaimers, sales announcements and other information to consumers.

The Act states that it applies to "businesses or service providers." The draft regulations interpret the phrase "service provider" to mean a person or entity that provides services to a person or organization that is not a business, and would otherwise meet the requirements of a “service provider” under Civil Code section 1798.140(v).

Business are allowed to offer financial incentives, including payments to consumers, for the collection or sale or deletion of personal information. The regulations, however, call for each business to give each consumer a "notice of financial incentive" in certain circumstances subject to Civil Code section 1798.125(b). The notice must contain:

  • a succinct summary of the financial incentive or price or service difference being offered;
  • a description of the material terms of the financial incentive, including the categories of personal information that are implicated;
  • details of how the consumer can accept the incentive;
  • notification of the consumer’s right to withdraw from the deal at any time; and
  • an explanation of why the Act permits the financial incentive, including: (a) a good-faith estimate of the value of the consumer’s data that forms the basis for offering it; and (b) a description of the method by which the business calculated the value of the consumer’s data.

In view of these amendments and the far-from-final regulations, it is evident that the new privacy law is still a work in progress and will change - perhaps substantially - as time goes on.

Jared Broadbent, the co-founder and managing partner at Strata, has told the press: “Until the US comes up with a cohesive privacy law, funds must grapple with the expensive challenge of managing compliance on a state-by-state level. Over the next few years, expect the industry to lay the groundwork for more consistent and cohesive regulation across state lines."

Latest Comment and Analysis

Latest News

Award Winners

Most Read

More Stories

Latest Poll