The EU’s General Data Protection Regulation (GDPR) went into effect on May 25. Privacy compliance professionals have been working for years on risk analysis and compliance plans in anticipation. Everyone else found out with the deluge of emails from companies asking if they could continue to send marking solicitations and other important information, blaming “European regulations,” and telling you about their new privacy policy. The GDPR is less significant for companies located solely within the U.S. that do not offer goods or services or monitor the behaviors of EU subjects and also do not process or store personal data of any EU residents. For those companies, and the rest of us who hit delete when we got those communications, get ready for more emails.

Scope of California Consumer Privacy Act (CCPA)

In the wake of successive Facebook privacy-related failures, in June 2018, California passed its own privacy law (also known popularly as California Assembly Bill 375 or the CCPA). The California Consumer Privacy Act looks pretty similar to the GDPR and goes into effect in January 2020. The California law applies to any organization that “conducts business in California” and satisfies one of three conditions: (1) has annual gross revenue in excess of $25 million; (2) annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes the personal information of 50,000 or more consumers, households or devices, alone or in combination; or (3) derives 50 percent or more of its annual revenue from selling consumers’ personal information.