California’s New Consumer Privacy Law 2018
Privacy is a big concern for many people. Moreover, it is a guaranteed Constitutional right of any person. However, there have been very few measures and levers to ensure it until recently. With the growing discontent regarding security breaches and private data disclosure, governments of different countries have started addressing this pressing need.
So, Jerry Brown, Governor of California signed a California Consumer Privacy Act of 2018 (aka AB 375) into a law on June 28. It enables Californians to gain control over their personal data and how it is stored and distributed.
Although coming into effect only in January 2020, the law has already created an uproar. Companies ranging from tech giants, media platforms to retailers are going to have to reshape their business approaches to comply with the upcoming changes.
Background
I think that everybody is mildly waking up to the importance of privacy.
This document was cobbled together within three weeks and signed within a few hours as a compromise to a stricter Ballot Initiative. The former was actively opposed to by the media and tech giants like Google, Amazon, Microsoft, Verizon, etc. while advocated and supported financially by Alastair Mactaggart, a real estate developer. He fully agreed with the decision by saying that privacy is an extremely important concern in the digital world now.
This law enacts significant positive refinements in the legislation. Other states are very likely to follow suit soon.
Similarity to GDPR
When looking at the new legislation, we can see its striking conformity to the recent General Data Protection Regulation that came into force in Europe just about a month ago. Here are the main principles. Californians will be entitled to
- Know what kind of personal data is collected;
- Be aware who if so it is shared with or sold to;
- Forbid to sell their personal information to third parties;
- Have access to their personal info and request its deletion if necessary;
- File a suit in case of any privacy breach;
- Restrict collecting personal data about the children under 13;
- Get non-discriminated services when opting out from granting permission to use their private data.
The last point may be quite controversial though. Retailers are forced not to discriminate against the people who exercise their legal right. That may bury loyalty programs and special offers as companies will fail to incentivize their important customers.
Differences From the GDPR
There still a few diversions from the EU law. Companies
- Do not have time constraints for informing about security violation.
As opposed to the 72 hours in Europe, executives have unlimited periods to let people know about any security issues.
- Do not get fined for non-compliance with the law.
Recent European document levies very high penalties for failing to meet the requirements. New California Law does not mention any fines for this.
Corporate Response
Surprisingly enough, many media and technology companies have accepted the alternative to the Ballot Initiative and have agreed to adopt these principles to their data collection even outside California. Moreover, Facebook executives believe they have become more transparent and compliant with the current EU regulations. So, they may need to implement some minor changes to fit in.
But techno unicorns and some giants like Amazon, Uber, and Google are reluctant to completely advocate for the new regulations. They claim that the document needs more careful and thorough editing.
Ambiguities of the New Law
Even though the document is a major breakthrough in the data protection movement, it still features some imperfections. Here are some of them:
- If your data had already been sold, there is no way to fix it.
Californians can monitor and even delete the information about them the company has collected. But when it comes to the ones who had acquired it before the law came into effect, the only thing you get is the list of categories of entities who may have your data. It is up to you how to claim it back.
- You may be paid for sharing your data
This implies that users can be paid directly or offered different prices in exchange for using their data. This point seems to disagree with the statement not to discriminate non-sharers and still remains blurry.
While businesses have about 18 months to prepare, it is better to start now. Make sure your company is in compliance to run your business without a hitch.