In late June, California Lawmakers passed the ‘Consumer Privacy Act 2018’ (AB 375) introduced by State Assembly member Ed Chau and state senator Robert Hertzberg, and signed by California Gov. Jerry Brown. The new data privacy law allows residents of the state a greater say in how businesses collect and use personal data. It also imposes a slew of new penalties on those businesses that skirt compliance with the regulations. The first data privacy law of its kind in the United States comes in the wake of the Cambridge Analytica scandal that saw Facebook rapped over the knuckles for how they were using personal information, as well as numerous other instances of data breach and privacy concerns.
The bill was the result of lobbying by the group ‘Californians for Consumer Privacy’ and would go into effect in 2020.
The bill was cautiously supported by the tech industry – which may seem surprising, but there was a good reason behind their support. The alternative would have been a ballot measure in November which, if successful would have simply prevented companies from denying any sort of service to those who denied them the opportunity to use personal data – and opened a floodgate for litigation.
The California legislation would, on the other hand prevent businesses from denying service to consumers if they opt out of having their data tracked and stored, but in a more nuanced fashion. The data privacy law contains similar language to the GDPR which allows companies to offer different services or rates to consumers based on the information they provide—for instance, a free product based on advertising. But, and there is a crucial difference – the bill states, the difference must be “reasonably related to the value provided to the consumer by the consumer’s data.”
Ballot option terrifying tech companies
The alternative would be the November ballot – and that would have far reaching consequences for the tech industry. Tech companies claim that the provisions of the ballot would have opened them up to liability that would hurt their businesses and their ability to hire.
Most worryingly for those who have been gathering – and using vast amounts of consumer data (sometimes without the express permission of clients) is that the ballot initiative would see consumers being able to sue companies for data breach and violations of privacy. However, it would also have had another far-reaching consequence. Consumers who informed companies to cease using their data and sue them would have been able to do so without the fear of losing access to the services provided by those companies, rather than the proviso in the California ‘Consumer Privacy Act 2018’ which waters it down with the statement that the tech company can offer different rates and services “reasonably related to the value provided to the consumer by the consumer’s data.”
Similarities with the EU GDPR
The legislation bears a striking resemblance to the European Union General Data Protection Regulation (GDPR) and places responsibility for data use squarely in the hands of the consumer. It forces companies to inform consumers of what data they are storing, why they are storing it – and especially important with whom they are sharing that information. This has far reaching consequences for privacy protections.
Frederik Mennes, senior manager market & security strategy at OneSpan:
“Similar to the European General Data Protection Regulation, the Californian Consumer Privacy Act requires organizations to be more transparent about the ways they use personal data, and provides consumers more control about the usage of their personal data. Additionally, organizations are required to implement and maintain security controls appropriate to the nature of the personal data. Organizations should consider implementing multiple layers of security controls, such as data encryption, data anonymization as well as access control based on strong user authentication to meet this requirement.”
However, it is interesting to note that there are crucial differences between the GDPR regulations and the ‘Consumer Privacy Act 2018’. In fact, the California data privacy law adds significantly to the GDPR regulations and these are the provision that are worrying companies that are harnessing data from consumers.
In terms of the GDPR, businesses are required to get users’ permission before collecting and storing their data. But most companies have designed the popups they use to get those permissions in the most opaque way possible. “You really don’t have a choice,” says Ashkan Soltani, former chief technology officer of the Federal Trade Commission who helped author the ballot initiative.
So, companies that use data are faced with a number of hurdles.
There must be an explicit permission from the consumer, their behavior must be ‘reasonable’ if such permission is denied and they will face stiff penalties if they transgress these provisos.
It also seems that this legislation is only the thin end of the wedge as far as safeguarding personal data is concerned – data privacy laws are about to undergo a full-scale revamp within the United States, at least according to some industry experts.