June was an interesting legislative month in the state of California.
In the face of an impending ballot initiative that would’ve imposed stringent privacy rules around the retention and use of consumer data, the state legislature stepped in and drafted an alternative privacy law that, in its current form, appears to be a GDPR-lite set of regulations.
Before we discuss the components of the resulting California Consumer Privacy Act of 2018, it is interesting to speculate as to why state legislators stepped in to stop the ballot initiative. I see three primary factors driving that decision:
1) The ballot initiative contained a provision that specifically prohibited companies from giving away applications (games, etc) in return for the right to monetize the user data of those applications (a common practice.)
2) The ballot initiative imposed draconian penalties on violators
3) Introducing the law via legislation enables the state to evolve and clarify the bill as needed, whereas if implemented via the ballot initiative, it would be much harder to change.
I think we can safely assume that the lobbying of the tech industry led to the scuttling of the data monetization restrictions and the re-examination of penalties. The California legislature changed the focus of the initiative to follow a version of the already implemented GDPR regulations.
So, in a first for the United States, we have the California Consumer Privacy Law of 2018, which goes into effect on January 1, 2020.
As I mentioned, the regulations are more similar to GDPR than not, but do currently leave out some of GDPR’s more stringent requirements. The California law contains three key components (and these relate to data associated with any resident of the state of California):
Many questions arise when looking at these regulations. Primarily, what is the mechanism that a consumer can employ to obtain this information?
I believe that between now and January 1, 2020, California legislators will be working to better define the scope of the law, the associated penalties and the paths to consumer enablement.
But the law is coming, and it represents the Unites States first real comprehensive attempt to protect consumers and their private information. I fully expect more states to model similar regulations.
In our next post, we will dive into the differences between GDPR and the current form of the California law.