What California’s Consumer Privacy Act Means for the Future of Data Security

Amy Hou  |  August 14, 2018   |  Data & Technology  


Over the last few months, your inbox has likely been flooded with emails notifying you that one of the countless companies you surf the web with had changed their privacy policy. And while it has been a great reminder of just how many newsletters and daily digests you signed up for, these notices were also a sign that the future of consumer data security was taking a step in the right direction.

The General Data Protection Regulation (GDPR) took full effect in May of this year. Essentially, this regulation strengthens protections for data transparency and privacy of all EU citizens. But, what about the U.S.?

Cue California’s version of GDPR, or “GDPR Lite,” as some are calling it. In late June, California governor Jerry Brown signed the Consumer Privacy Act, giving the state’s residents significantly more control over how their data is collected, handled, and used.

The law doesn’t go into effect until January 2020, but it will without a doubt have massive implications for every company operating both in state and abroad. The digital privacy law is not as extensive as the EU’s GDPR regulation, but it will still have a strong and important effect on the future of consumer information.

Here’s the Short Version

In short, California just passed its own digital privacy law, which allows consumers to know what information is being collected, why the company is collecting it, what it’s being used for, and who it is being shared with.

Under the Consumer Privacy Act, people can opt out from a company’s terms of service without losing any access to its offerings. The law also specifically aims to protect consumer data of anyone under the age of 16.

The digital privacy law will make it easier for residents to sue a company for any mishandling of their private information. Brands will be held accountable for any data breaches, allowing consumers to sue them for up to $750 per violation. And to top it off, the California attorney general can sue for up to $7,500 for each intentional violation of one’s privacy.

What Happens Next?

Essentially, any brand that’s experienced a data breach (think: Equifax, Facebook, Google, FitBit…the list goes on) will now be held significantly more accountable for failing to protect their consumers’ data.

However, the biggest question that remains is: will these companies tailor their data practices to California residents only, or will these practices end up extending to cover consumers across the country? While the answer is not immediately clear, the latter would certainly make for an easier transition for these companies, especially for smaller businesses who don’t have the resources of Facebook or Google. As Jason Kint, CEO of Digital Content Next says: 

“The risk here is rather than have a single federal law, or, a self-regulatory regime that’s aligned with consumer expectations, the ad industry will end up with a patchwork of state laws on top of GDPR. That becomes a cost to everyone.” 

However, Kint does expect companies like Google to put up a major fight for concessions that would weaken the bill leading up to January 2020. “The duopoly will fight like mad to amend this thing into their interests,” Kint says. “Facebook will take a back seat to Google because Facebook is so toxic to any privacy discussion right now. And like we’re seeing with GDPR, enforcement including antitrust scrutiny of the duopoly matters, otherwise Google determines the rules and wins the game.”

Michael Connolly, CEO of ad company Sonobi, believes there will be multiple versions of privacy legislation at the state level that would result in significant challenges for both legislators and tech companies. A pragmatic approach could prove difficult for companies if there is not a nationwide federal law passed. Marc Benioff, CEO of Salesforce, agrees, stating it’s “time for a national privacy law.”

What a Data Privacy Law Could Look Like for the U.S.

So, what would a data privacy law look like for the U.S.? Benioff has some ideas. In a contributed article for Politico, Benioff stated that a federal law of this caliber should include three important elements:

  • First, companies should be required to be more transparent with not only the data they’re collecting and how they’re using it, but also with the choices consumers have in the control over their personal data.
  • Second, Benioff believes consumers “should have substantial control over the use of their personal data, including whether it is monetized, as well as the right to have it deleted — a so-called right to be forgotten.”
  • Finally, he suggests that companies that fail to fulfill these obligations should be held accountable, including by the Federal Trade Commission (FTC). “This, no doubt, will be a tough pill for many tech companies to swallow. But an era in which tech operated in near-total freedom had to end.”

While not exactly a cookie-cutter version of the EU’s GDPR regulation, Benioff says, “any privacy law would need to be tailored to our own traditions, values and rule of law. Moreover, in our system, industry cannot be relegated to the sidelines. Industry must be a part of the solution.”

Related >> 5 Steps to Building Trust in Your Data Privacy Policies

Putting Consumers First

Regardless of the outcome, whether a patchwork of state regulations or one blanket federal regulation, this is a step in the right direction for keeping consumer data safe. Accountability breeds trust, and in an era of daily data breaches, the U.S. should be challenged to put the consumer first.

Benioff states: “Technology is not neutral; it has become one of the most powerful and decisive tools in our lives. Our data represent who we are and what is known about us. Having control over our data should be an issue on which we can move forward without debate — it should be a right, and those responsible for safeguarding our freedoms can no longer be passive.”

What are your thoughts? Do you think states should move forward on regulating consumer data privacy, or should there be an overall federal regulation? Chat with us on Twitter.

You may also like:

If you like what you’re reading, why not subscribe?

About Amy Hou

Amy Hou is a Marketing Manager at Urjanet, overseeing content and communications. She enjoys writing about the latest industry updates in sustainability, energy efficiency, and data innovation.

Tags   Identity & Fraud   |   News   |   Regulation   |   Urjanet   |