California setting new data privacy standards for the US

Karlin Lillington: US firms thought they might dodge greater consumer privacy obligations

Some companies, such as Facebook say they will offer users internationally the same privacy controls they will give to EU citizens under GDPR. Photograph:  Daniel Leal-Olivas/AFP/Getty Images

Some companies, such as Facebook say they will offer users internationally the same privacy controls they will give to EU citizens under GDPR. Photograph: Daniel Leal-Olivas/AFP/Getty Images

 

When it comes to laws that directly impact how citizens engage with technology – and vice versa – California regularly sets national, even international, trends. This is particularly true in the critical area of consumer protection, where California has spurred other states to action.

Consider its data breach law, which came into force 15 years ago. In a legislative first, California required businesses, state agencies and organisations to notify users if their unencrypted personal data had been leaked.

Some of the world’s largest data breaches were disclosed thanks to that law. More recently, the state expanded the law to include strict provisions on medical and health insurance data. A public database of breaches is maintained by the state.

For a long time, California’s legislation surpassed European Union safeguards. The EU only introduced specific breach legislation six years after California. Other states slowly followed California’s example, with the final laggards – Alabama and North Dakota – recently passing data breach laws. Calls for a US federal law have been ongoing for years, not least because each of the 50 states plus the District of Columbia now has its own law with differing standards and requirements. But Congress so far remains unable to agree on a federal approach.

Protections

Now, California has turned its attention to data privacy. Last week, the state once again passed legislation that provides Californians with protections far beyond anything offered in the rest of the US, with its new California Consumer Privacy Act of 2018. This law, hurried through the state legislature last Thursday, will by 2020 give state residents some of the key protections Europeans have under the General Data Protection Regulation (GDPR, which clearly inspired the California law).

California’s law gives people the right to know what data is being collected about them, the ability to stop companies selling their data to third parties, and a right to have their data deleted.

Parental permission

In addition, the new law requires companies obtain parental permission to gather data from children aged under 16, and gives Californians the right to sue companies over data breaches. As with GDPR, the law removes the significant barrier of an individual having to prove they were materially harmed by a breach. Now, someone only has to have a complaint accepted by the state attorney general’s office.

Recompense at the individual level is modest, a maximum of $750 (€645) per person, per breach. But this provision is said to be the one companies are most concerned about, and no wonder.

Leaked records

Just consider how fast consumer compensation might add up for companies like, say, Exactis, a Florida-based data aggregator which last week revealed it may have leaked detailed data records of up to 340 million individuals and companies. Or the 148 million users affected by the Equifax breach last September. Or the three billion users involved in last October’s Yahoo breach. The Facebook/Cambridge Analytica breach, at 87 million records, is almost modest in comparison.

Some legal experts are of the opinion that the new disclosure and data removal elements won’t have that big an effect except on data brokers, because so many California (and US) companies already have to comply with the GDPR.

But this seems an ill-informed view. Yes, some companies, such as Facebook, have said they’ll offer all their users internationally the same privacy controls they will give to EU citizens under GDPR. But individual controls aren’t the same as wider legal obligations. And critically, many companies certainly had no intention of giving GDPR equivalency to US consumers.

Swift response

The genesis of the Bill was particularly Californian, a swift response to an alternative privacy referendum initiative that recently qualified for California’s November election ballot. The initiative scared the bejeepers out of some lawmakers and especially, businesses, because state referendum initiatives pass into law without negotiation or alteration and can only be changed in future by voters, not lawmakers.

A legislative Bill, on the other hand, can be amended before it is enacted, and further amended at later dates (for example, California’s data breach legislation was strengthened more than a decade on).

The tech and data gathering industries particularly affected by the new Bill were thus relatively helpless to oppose it, hoping instead to lobby for changes in the new privacy law rather than risk being stuck with an initiative writ in legislative stone.

The instigator of the ballot initiative, a San Francisco real estate developer and privacy activist (I know: only in San Francisco) named Alastair Mactaggart, supported the state Bill and was happy to withdraw his own initiative, which he said was in part, intended to push the state legislature to act.

Gutted

Theoretically, the Bill, already signed by state governor Jerry Brown, could be gutted in the coming 18 months before it is finally enacted.

But, at a time when US state and national polls show broad support for new privacy laws, this would be unwise. Instead, the California Consumer Privacy Act is more likely to herald a new wave of US privacy legislation, thwarting the hopes of those US companies that thought they might dodge greater consumer privacy obligations by sequestering the data belonging to those annoying Europeans while carrying on the US data slurp as usual.

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
SUBSCRIBE
GO BACK
Error Image
The account details entered are not currently associated with an Irish Times subscription. Please subscribe to sign in to comment.
Comment Sign In

Forgot password?
The Irish Times Logo
Thank you
You should receive instructions for resetting your password. When you have reset your password, you can Sign In.
The Irish Times Logo
Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.
Screen Name Selection

Hello

Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
SUBSCRIBE
Forgot Password
Please enter your email address so we can send you a link to reset your password.

Sign In

Your Comments
We reserve the right to remove any content at any time from this Community, including without limitation if it violates the Community Standards. We ask that you report content that you in good faith believe violates the above rules by clicking the Flag link next to the offending comment or by filling out this form. New comments are only accepted for 3 days from the date of publication.