California Enters the Privacy Regulation Arena
California is the first state in what undoubtedly will be a wave of United States privacy laws on the European model. In a very rushed action at the end of June to avoid an even more restrictive ballot initiative from getting in front of voters, the California legislature pushed through the California Consumer Privacy Act of 2018, which grants significant privacy rights to California consumers. Among other things, the law provides that:
- A consumer (Defined as a California citizen) has the right to request that a business (defined as having more than $25 million dollars in California revenue) that collects personally identifiable information (PII) disclose the categories and specifics of information so collected;
- At the point of collection, the business must inform consumers of the categories of information to be collected and the purpose of the collection. Additional information cannot be collected without notice.
- A consumer has the right to request that their information be deleted.
- A consumer has the right to request disclosure of the categories of information sold to third parties, the purpose of the sale and the identities of those third parties; and
- A consumer has the right, at any time, to direct that their information not be sold.
There are also requirements for posting of online privacy policies, required notifications, and a consumer right of action in the case of violations. There must also be a clear and conspicuous link on the business home page titled “Do Not Sell My Information” that permits a consumer to opt out of such sales.
Does this all sound familiar? It should, because it reads a whole lot like the European Union General Data Privacy Directive (GDPR). Businesses reluctantly supported it because the alternative ballot initiative would have been much tougher, but they have made it clear that between now and the law’s effective date in 2020, they’ll push for amendments to soften its impact on them.
Privacy advocates, meanwhile, are elated. They are confident that, once all of the requirements are implemented and the bugs worked out, other states will see that it’s a workable scheme and follow along.
I’m inclined to agree with the privacy advocates. The wave has been building for some time, and it’s no surprise at all that it hit first in California, but consumers elsewhere are equally concerned. And as a technical matter, there’s nothing new here. The sorts of processes and mechanisms that this law contemplates have all had to be built out for the GDRP anyway, so it’s just going to be a matter of making those processes available to everyone. And, if they’re made available to Californians, it may be difficult not to make them available nationwide. So, adoption of similar laws by other states may wind up being pro forma anyway.
The tough part for business will be the “Do Not Sell My Information” bit. If it makes it through the amendment process, widespread use of that feature will significantly diminish the value of organizations whose business model is based on information sales. And worse, once the Europeans see it, they might like it a lot – and Europeans will get to use it too. Which will just make matters worse for the Facebooks of the world.
Love it or hate it, real privacy law with teeth and a bite is here. So, get ready!
John C. Montaña J.D., FIIM, FAI
Montaña & Associates