While California already had some of the strictest and most varied privacy laws in the country, the new California Consumer Privacy Act of 2018 "is a whole new ballgame," says privacy attorney Kirk Nahra.
The law, AB 375, which was signed by California Gov. Jerry Brown on June 28 and slated to take effect on Jan. 1, 2020, gives consumers the right to ask businesses for the types and categories of personal information being collected.
The law also requires businesses to disclose the purpose for collecting or selling the information, as well as the identity of the third-party organizations receiving the data. Consumers can also request data be deleted and initiate civil action if they believe that an organization has failed to protect their personal data (see California's New Privacy Law: It's Almost GDPR in the U.S.).
The new act "is particularly important because it essentially applies to all personal data in all situations," says Nahra of the law firm Wiley Rein in an interview with Information Security Media Group.
"There are some exceptions to that, but the idea is that it applies to everything. And that's very different than all the prior California laws, but [also to] the entire approach to privacy and security regulations that we've seen in the United States to date, where the laws have been either industry specific, like HIPAA [for healthcare] or the Gramm-Leach-Bliley [regulations] for the financial services industry, or they've been practice specific which deals with a particular law for a particular activity," he says.
Until now, "we don't have one size fits all laws, which is why the comparison between the new California law and the European Union's General Data Protection Regulation has been coming up so often lately," he notes.
"This is the first time we've seen this in the United States," he says.
But will it be the last time?
"It's a big question politically whether other states will copy what California is doing under its new privacy law," Nahra says.
In the interview, Nahra also discusses:
- Differences and similarities between the California Consumer Privacy Act of 2018 and the EU's GDPR;
- Who needs to comply with the California law;
- Why there's uncertainty about whether the California law applies to business associates under HIPAA.
As a partner at the law firm Wiley Rein LLP, Nahra specializes in privacy and information security issues, as well as other healthcare, insurance fraud and compliance issues. He's a member of the board of directors of the International Association of Privacy Professionals and was co-chair of the Confidentiality, Privacy and Security Workgroup, a former panel of government and private-sector privacy and security experts advising the American Health Information Community.