• Insights

US – The impact of the GDPR outside the EU

Written by
FordHarrison LLP, nationwide U.S. law firm with a singular focus on HR law.
California’s Consumer Privacy Act of 2018 introduces personal data protection comparable to the GDPR at state level and will take effect on 1 January 2020.

California has become the first state to introduce privacy protection for individuals’ personal data comparable to that provided under the GDPR. The California Consumer Privacy Act of 2018 (‘CCPA’ or the ‘Act’), which takes effect on 1 January 2020, is a sweeping digital privacy law that creates new protections and rights for consumers’ personal data.

The CCPA will grant California consumers the following rights:

  • to know what personal information is being collected about them;
  • to know whether their personal information is sold or disclosed and to whom;
  • to say no to the sale of personal information;
  • to access their personal information;
  • to equal service and price, even if they exercise their privacy rights (e.g., businesses may presumably offer tiered pricing for goods and services, such as offering higher prices for increased privacy); and
  • in addition, to hold companies liable for data breaches.


Efforts to amend the CCPA continue since its quick passage.

As amended, the CCPA defines ‘personal information’ much more broadly than other privacy statutes in the United States, including California’s own data breach notification statute, closely aligning with the GDPR’s definition of ‘personal information.’ Personal information under the CCPA includes:

‘information that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.’

This broad definition specifically includes:

‘internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application or advertisement.’

Notably, since the CCPA covers ‘households’, this means it protects data even if the record does not contain a name nor relate to a single individual.

Additionally, the CCPA requires businesses to make disclosures about the information and the purposes for which it is used. Specifically, under the CCPA, California consumers now have the right to request a business to disclose:

  • the categories and specific pieces of personal information that it collects about the consumer;
  • the categories of sources from which that information is collected;
  • the business purposes for collecting or selling the information; and
  • the categories of third parties with which the information is shared.


Further, California consumers have the right to request deletion of their personal information, and businesses are required to delete upon receipt of a verified request, as specified. Notably, consumers may opt out of the sale of personal information by a business, and businesses are prohibited from selling the personal information of a consumer under 16 years of age, unless affirmatively authorised.

The CCPA applies to for-profit entities that conduct business in California and ‘collect consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information’ and either:

  • have more than USD 25,000,000 in gross revenues;
  • annually buy, receive, sell or share the personal information of 50,000 or more consumers; or
  • derive half or more of their annual revenues from selling consumers’ personal information.


Following amendments, the CCPA’s operative date remains unchanged, however, the enforcement action start date has been moved to either 1 July 2020 or six months after publication of the final regulations, whichever date is earlier.