In late June, California Lawmakers passed the ‘Consumer Privacy Act 2018’ (AB 375) introduced by State Assembly member Ed Chau and state senator Robert Hertzberg, and signed by California Gov. Jerry Brown. The new data privacy law allows residents of the state a greater say in how businesses collect and use personal data. It also imposes a slew of new penalties on those businesses that skirt compliance with the regulations. The first data privacy law of its kind in the United States comes in the wake of the Cambridge Analytica scandal that saw Facebook rapped over the knuckles for how they were using personal information, as well as numerous other instances of data breach and privacy concerns.
The bill was the result of lobbying by the group ‘Californians for Consumer Privacy’ and would go into effect in 2020.
The bill was cautiously supported by the tech industry – which may seem surprising, but there was a good reason behind their support. The alternative would have been a ballot measure in November which, if successful would have simply prevented companies from denying any sort of service to those who denied them the opportunity to use personal data – and opened a floodgate for litigation.
The California legislation would, on the other hand prevent businesses from denying service to consumers if they opt out of having their data tracked and stored, but in a more nuanced fashion. The data privacy law contains similar language to the GDPR which allows companies to offer different services or rates to consumers based on the information they provide—for instance, a free product based on advertising. But, and there is a crucial difference – the bill states, the difference must be “reasonably related to the value provided to the consumer by the consumer’s data.”
Ballot option terrifying tech companies
The alternative would be the November ballot – and that would have far reaching consequences for the tech industry. Tech companies claim that the provisions of the ballot would have opened them up to liability that would hurt their businesses and their ability to hire.
Most worryingly for those who have been gathering – and using vast amounts of consumer data (sometimes without the express permission of clients) is that the ballot initiative would see consumers being able to sue companies for data breach and violations of privacy. However, it would also have had another far-reaching consequence. Consumers who informed companies to cease using their data and sue them would have been able to do so without the fear of losing access to the services provided by those companies, rather than the proviso in the California ‘Consumer Privacy Act 2018’ which waters it down with the statement that the tech company can offer different rates and services “reasonably related to the value provided to the consumer by the consumer’s data.”
Similarities with the EU GDPR
The legislation bears a striking resemblance to the European Union General Data Protection Regulation (GDPR) and places responsibility for data use squarely in the hands of the consumer. It forces companies to inform consumers of what data they are storing, why they are storing it – and especially important with whom they are sharing that information. This has far reaching consequences for privacy protections.
Frederik Mennes, senior manager market & security strategy at OneSpan:
“Similar to the European General Data Protection Regulation, the Californian Consumer Privacy Act requires organizations to be more transparent about the ways they use personal data, and provides consumers more control about the usage of their personal data. Additionally, organizations are required to implement and maintain security controls appropriate to the nature of the personal data. Organizations should consider implementing multiple layers of security controls, such as data encryption, data anonymization as well as access control based on strong user authentication to meet this requirement.”
However, it is interesting to note that there are crucial differences between the GDPR regulations and the ‘Consumer Privacy Act 2018’. In fact, the California data privacy law adds significantly to the GDPR regulations and these are the provision that are worrying companies that are harnessing data from consumers.
In terms of the GDPR, businesses are required to get users’ permission before collecting and storing their data. But most companies have designed the popups they use to get those permissions in the most opaque way possible. “You really don’t have a choice,” says Ashkan Soltani, former chief technology officer of the Federal Trade Commission who helped author the ballot initiative.
So, companies that use data are faced with a number of hurdles.
There must be an explicit permission from the consumer, their behavior must be ‘reasonable’ if such permission is denied and they will face stiff penalties if they transgress these provisos.
It also seems that this legislation is only the thin end of the wedge as far as safeguarding personal data is concerned – data privacy laws are about to undergo a full-scale revamp within the United States, at least according to some industry experts.
Matan Or-El, CEO and co-founder of commented; “It’s impossible not to think of this law as following on the heels of GDPR. The precedence of the GDPR demonstrates that such regulations, regardless of whether they will increase security and privacy in practice, have made lawmakers and consumers worldwide understand that such standards can be set. Furthermore, it is certainly likely that similar privacy regulations will be adopted by other states. We saw this in the past when California was the first state to publish their breach notification law and most states pursued a similar law of their own.”
Tech companies concerned about data privacy law
Understandably, not everyone is delighted with the legislation.
In fact, tech companies are at the forefront of efforts to derail or at least amend certain provisos of the legislation, something that would have proved problematic had the proposed regulations gone the route of a ballot
If the bill had failed it would have been up to voters to decide whether to support the proposal on the ballot in November – and ballot initiatives are far more difficult to change once they’re passed, because amendments require yet another two-thirds majority vote on the ballot. That may be one reason why opponents within the tech industry reluctantly supported the passage of the bill, put simply, the current legislation is easier to change.
Tech companies fighting hard
The tech industry did everything in its power to stymie the ballot initiative. The industry spent millions of dollars to oppose it – all through a group called ‘The Committee to Protect California Jobs’.
They argued that the measure would open them up to liability that would hurt their businesses and their ability to hire. However, this is a situation of their own making. They have built a business model that relies on the use of data for their own marketing efforts as well as the sale of data to third parties, often using tactics that could be best described as ‘unethical’.
Terry Ray, chief technology officer at Imperva hits the nail on the head with his comment; “Someone said to me recently, that data used to be like gold, but now it’s more like uranium, still very valuable but also highly radioactive.”
The bill is in essence a compromise. It takes away the right of private citizens to sue (unless there is a data breach) – but puts the task of enforcing the data privacy law in the hands of the attorney general.
They seem to have succeed in those efforts – but they are not stopping there. Lobbyists affiliated with the group TechNet are hard at work trying to motivate changes to parts of the bill, as well, including a stipulation that businesses must include a clear button on their websites giving people the ability to opt out of data collection.
TechNet’s vice president of state policy and politics, Andrea Deveau, commented, “We believe that the legislature, not the ballot box, is the correct venue to consider this important and complex area of policy.”
Robert Callahan, vice president of state government affairs at the Internet Association, which represents tech companies like Google and Facebook, struck much the same tone. He is on record as saying that while the group opposes “many problematic provisions” within the bill, it at least “prevents the even worse ballot initiative from becoming law in California.”
Facebook’s vice president of state and local public policy, Will Castleberry, said that while the bill is “not perfect,” the company supports it and looks forward to “working with policymakers on an approach that protects consumers and promotes responsible innovation.” It seems that the Cambridge Analytica scandal has not dampened Facebook’s efforts to stamp their authority on data collection and privacy rights. Given the amount of money that the company makes from data this should come as no surprise.
Battle lines drawn
The battle lines have been drawn in the war for privacy protection. The ballot initiative seems to be off the table for now and tech companies are lobbying strongly to protect their right to use and sell data to thirds parties.
However, there is a growing realization that change is essential. The landscape as regards data privacy is now increasingly being dictated by consumers and consumer activism.
It is too early to say whether the consumer will be in the driving seat when it comes to privacy and data usage – however it certainly seems as if the winds of change are beginning to blow more strongly.