C3 has merged with Ingalls Read Press Release >>

Data Privacy Laws Like GDPR Are Coming to the U.S.

In the absence of a unified federal law governing data privacy rights in the United States, states like California are filling the void.

As exemplified by GDPR, governments are beginning to take action to protect their citizens from not just getting hacked, but from having their data used unfairly. And it’s only a matter of time until the US follows suit.

California already has. They recently passed their own data privacy law, the California Consumer Privacy Act of 2018 (“CCPA”). Signed on June 28th, this state law is expected to also have some national and international implications.

Totally unique in US law, the revolutionary CCPA states the following individual data privacy rights:

  1. The right to know the purpose of data collection and what categories of personal data are being collected before the collection takes place.
  2. The right to object a company’s sale of a consumer’s personal information.
  3. The right for additional information regarding the personal information being collected.
  4. The right to have one’s personal information deleted (with exceptions).
  5. The right to know whether one’s personal information is disclosed to a third parties (and to know which third parties information is disclosed to).
  6. The right to not be discriminated against in terms of the price of a company’s services in the event an individual chooses to exercise his or her privacy rights.

This law goes into effect January 1, 2020, and applies to any entity that does business in California that either (1) has annual gross revenues over $25 million, (2) annually buys, receives, sells, or shares the personal information of 50,000 or more California residents, households, or devices, or (3) derives 50% or more of its annual revenue from selling personal information of California residents.

What is “personal information”? In this case, it’s information “that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This includes names, addresses, IP addresses, or email accounts, as well as biometric and geolocation information. So companies that have already done the work for GDPR should be all set.

California’s move seems to be a first step toward a more expansive, rights-based privacy approach for the US, and we believe other states will likely follow suit. So buckle up.