In the past few weeks, the state of California has crystallised its own position on consumer data protection with the announcement of the California Consumer Privacy Act (2018), which will come into force in January 2020. It is the first formal movement towards enhanced consumer rights over personal data in the US, intended primarily to make Silicon Valley and the broader tech industry more restricted in, and more accountable for, the way it captures, uses and shares people’s personal information.
The move, along with other developments around the world, from South Africa to Asia, confirms that individuals’ data privacy has become a global concern in the digital age. With the now-live EU General Data Protection Regulation, investments in compliance could have much broader application and payback.
That’s assuming organisations have developed data permissions management strategies and capabilities that are true to the spirit of GDPR,safeguarding consumers’ privacy and greater public trust, andhave been designed with built-in adaptability. Where this is the case, the global trend towards stricter data protection should not be any cause for concern. The EU’s measures with GDPR are so thorough and all-encompassing that building-in provision for other markets should involve no more than some tweaking of existing data controls.
West Coast considerations
So what requirements has California set down? Its new Consumer Privacy Act will extend existing laws, including the Online Privacy Protection Act, Privacy Rights for California Minors in the Digital World Act and the “Shine the Light” Law. It will touch any organisation with annual gross revenues of above $25 million, with access to the personal information of 50,000 or more consumers, households or devices, or which derives 50% or more of its annual revenues from selling consumers’ personal information.
Under its protection, Californian residents (consumers) will be able to opt-out of the sale of personal information by a business (this is automatic for children under 16 who would need explicitly to opt-in to permit it). Meanwhile, third parties would be prevented from selling on personal information they have bought about a consumer, unless they have been open about this aim and given individuals the opportunity to opt-out.
Although it has the same broad intentions as the EU’s GDPR, the California Consumer Privacy Act, which is likely to set a precedent for other states or will in time become Federal law, is not as extensive or as complex. It is chiefly concerned with the rights of the individual over their data and improving transparency into what organisations do with it. The only notable additional provision organisations will need to make is the introduction of a “Do not sell my data” option to consumer data permissions options.
Beyond that, the expectations are fairly straightforward. California’s Act doesn’t talk about different justifications (lawful bases) for holding and using people’s data. Nor does it set out “special” categories of data. But it does require that organisations inform consumers about the types of personal information it wants to collect and how this will be used, in keeping with the goal of increased transparency.
Individuals can also exercise the right to check on any of this - they can expect an organisation to disclose and deliver details of the personal information it possesses and has used over the past year, free of charge within 45 days. Although individuals do not have a specific right to rectification or data portability as they have in the EU, there is provision for deleting personal information (with some exceptions).
Well-intentioned organisations will fare best
California’s move to shore up consumers’ data rights has been welcomed by consumer protection agencies and campaigners, which have been lobbying for change for a long time in the light of the big internet giants’ increasingly sophisticated and often hidden use of people’s information.
If the state Governor hadn’t signed off on the new legislation, a local coalition team would have pressed on with plans for a Bill containing much more stringent measures. It still could, if the big internet brands attempt to water down the proposed Privacy Act.
But the fact that provisions under the California act are stripped back compared to the requirements of GDPR is good news for organisations that have invested considerable time, effort and budget in preparing for compliance with the EU’s data protection measures. It means that, rather than go back to the drawing board, they can increase the return on that investment through some simple adaptations that enable the same controls to be applied to other markets.
It comes back to our message about building people’s privacy and data protection by design and default into everything an organisation does with a view to building market trust and strengthening consumer relationships. If organisations have done that, emerging international variations on data privacy requirements will hold no fear.