Data privacy law in California just took a giant step forward. The new California Consumer Privacy Act, which was passed at the end of June 2018, is the strictest data privacy law in the United States to date. With many GDPR-like qualities, this new legislation could signify a larger trend in US policy regarding data protection and privacy rights – especially due to California’s status as reigning US tech innovator and home to many of America’s largest most competitive technology companies. Longer term, the commitment to data privacy rights within America’s most populous state could increase the pressure for other states, or even the federal government to follow suit.
The California Consumer Privacy Act: Another GDPR?
The California Consumer Privacy Act incorporates several aspects of the GDPR into its legislation. It has a broader definition of personal data, and it emphasizes transparency with respect to the processing of data. Additionally, the law promotes subject access requests, the right to be forgotten, and data portability. It will enable data subjects to request the categories, sources, and business purposes of personal data collected by a company, and the data subjects can request what categories of personal data are being sold to different classifications of third parties.
Despite the obvious regulatory hurdles, the positive side for many tech companies is that much of what they have already undertaken to comply with the GDPR will serve them well once the California Consumer Privacy Act becomes Law. Companies still not prepared for GDPR regulation, on the other hand, may now be under twice the pressure – and possibly suffer twice the scrutiny.
Data Privacy in California: Who is Affected?
The law protects any data subject who is a “natural person who is a California resident,” and it creates regulations for companies that conduct business in the state of California and collect consumers’ personal information for profit. Also, it must meet at least one of the following criteria: it has a gross revenue of more than $25 million annually, “alone or in combination, annually buys, receives for the business’[s] commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices,” or 50% or more of annual revenue comes from selling consumers’ personal data.
Just as companies outside of Europe who are handling the personal data of Europeans must comply with GDPR mandates, companies not within California’s borders are similarly compelled to comply with the state’s new data privacy requirements. With the state set to surpass 40 million residents by the time the law comes into effect, it’s also fair to say that nearly all companies who handle the personal data of American consumers will be affected by this legislation to some degree.
A Different Approach from the GDPR
The penalties of the California Consumer Privacy Act reflect an American style compared to GDPR penalties. First off, the law allows consumers to sue the business for a violation. It is also possible for a company to be prosecuted by the California Attorney General if the violation is not corrected within 30 days. An organization could also be required to pay damages of up to $750 per consumer after a data breach, and if a company intentionally violates the law, they may be fined up to $7,500 according to each violation. Under the GDPR, a company faces a fine of €20 million or 4% of annual global turnover. Comparing penalties, the GDPR places much harsher penalties on companies, but the California legislation still indicates a significant shift in the U.S. perception of data privacy and consumer rights.
Under the GDPR, data processing requires a legal basis for the processing of personal data. If there is not a legal basis, consent is required from the data subject; without this consent, their personal data cannot be lawfully processed. However, a data subject’s consent to the processing of their personal data under the California Consumer Privacy Act appears to be assumed. The data subject can decide to opt-out of the sale of their personal data, rather than what would be seen as “opting-in” under the GDPR. Although consumers would be protected from a business discriminating against them for this reason, the businesses are still allowed to offer a financial incentive for allowing the sale or collection of personal data. Additionally, the right to opt-out will be honored for a minimum of one year before a company asks again. Nevertheless, assumed consent of data subjects in California highlights that although this is a progressive law in the United States, it still lacks much of the privacy rights gravitas established by the GDPR.
Consumer Privacy: 2020
The California Consumer Privacy Act will go into effect on January 1, 2020, allowing businesses less than 18 months to prepare for the new regulations. While the Act is the first key example of data privacy legislation in the United States, it will not be the last. California’s significant influence over the technology sphere will quickly establish the importance of data protection—one that is likely to have an impact at both the the state and national level. Even under current legislation, it’s unlikely that all consumers will remain happy with a company providing one set of superior privacy services to California residents and another set of services to everyone else. Additionally, once a company has the capability, why not enable the same privacy process for all of their users and customers? Whether the incentives are political or for profit, the requirements for companies to provide advanced privacy options for consumers are becoming increasingly unavoidable.
Pierson Klein joined TechGDPR’s team as Legal Intern this summer. She is majoring in Law, Jurisprudence, and Social Thought at Amherst College (2020) in the U.S.A.
Follow TechGDPR on Twitter.