California setting new data privacy standards for the US

Karlin Lillington: US firms thought they might dodge greater consumer privacy obligations

When it comes to laws that directly impact how citizens engage with technology – and vice versa – California regularly sets national, even international, trends. This is particularly true in the critical area of consumer protection, where California has spurred other states to action.

Consider its data breach law, which came into force 15 years ago. In a legislative first, California required businesses, state agencies and organisations to notify users if their unencrypted personal data had been leaked.

Some of the world’s largest data breaches were disclosed thanks to that law. More recently, the state expanded the law to include strict provisions on medical and health insurance data. A public database of breaches is maintained by the state.

For a long time, California's legislation surpassed European Union safeguards. The EU only introduced specific breach legislation six years after California. Other states slowly followed California's example, with the final laggards – Alabama and North Dakota – recently passing data breach laws. Calls for a US federal law have been ongoing for years, not least because each of the 50 states plus the District of Columbia now has its own law with differing standards and requirements. But Congress so far remains unable to agree on a federal approach.



Now, California has turned its attention to data privacy. Last week, the state once again passed legislation that provides Californians with protections far beyond anything offered in the rest of the US, with its new California Consumer Privacy Act of 2018. This law, hurried through the state legislature last Thursday, will by 2020 give state residents some of the key protections Europeans have under the General Data Protection Regulation (GDPR, which clearly inspired the California law).

California’s law gives people the right to know what data is being collected about them, the ability to stop companies selling their data to third parties, and a right to have their data deleted.

Parental permission

In addition, the new law requires companies obtain parental permission to gather data from children aged under 16, and gives Californians the right to sue companies over data breaches. As with GDPR, the law removes the significant barrier of an individual having to prove they were materially harmed by a breach. Now, someone only has to have a complaint accepted by the state attorney general’s office.

Recompense at the individual level is modest, a maximum of $750 (€645) per person, per breach. But this provision is said to be the one companies are most concerned about, and no wonder.

Leaked records

Just consider how fast consumer compensation might add up for companies like, say, Exactis, a Florida-based data aggregator which last week revealed it may have leaked detailed data records of up to 340 million individuals and companies. Or the 148 million users affected by the Equifax breach last September. Or the three billion users involved in last October’s Yahoo breach. The Facebook/Cambridge Analytica breach, at 87 million records, is almost modest in comparison.

Some legal experts are of the opinion that the new disclosure and data removal elements won’t have that big an effect except on data brokers, because so many California (and US) companies already have to comply with the GDPR.

But this seems an ill-informed view. Yes, some companies, such as Facebook, have said they'll offer all their users internationally the same privacy controls they will give to EU citizens under GDPR. But individual controls aren't the same as wider legal obligations. And critically, many companies certainly had no intention of giving GDPR equivalency to US consumers.

Swift response

The genesis of the Bill was particularly Californian, a swift response to an alternative privacy referendum initiative that recently qualified for California’s November election ballot. The initiative scared the bejeepers out of some lawmakers and especially, businesses, because state referendum initiatives pass into law without negotiation or alteration and can only be changed in future by voters, not lawmakers.

A legislative Bill, on the other hand, can be amended before it is enacted, and further amended at later dates (for example, California’s data breach legislation was strengthened more than a decade on).

The tech and data gathering industries particularly affected by the new Bill were thus relatively helpless to oppose it, hoping instead to lobby for changes in the new privacy law rather than risk being stuck with an initiative writ in legislative stone.

The instigator of the ballot initiative, a San Francisco real estate developer and privacy activist (I know: only in San Francisco) named Alastair Mactaggart, supported the state Bill and was happy to withdraw his own initiative, which he said was in part, intended to push the state legislature to act.


Theoretically, the Bill, already signed by state governor Jerry Brown, could be gutted in the coming 18 months before it is finally enacted.

But, at a time when US state and national polls show broad support for new privacy laws, this would be unwise. Instead, the California Consumer Privacy Act is more likely to herald a new wave of US privacy legislation, thwarting the hopes of those US companies that thought they might dodge greater consumer privacy obligations by sequestering the data belonging to those annoying Europeans while carrying on the US data slurp as usual.