After spending months preparing to comply with the European Union’s General Data Protection Regulation (“GDPR”), software companies now have a new U.S. data privacy law to be concerned with. California has just passed a landmark data privacy law of its own: the Consumer Privacy Act of 2018. To view the text of the law, click here.
As USA Today reports on the new law: “[it] is similar to Europe’s General Data Protection Regulation rules, which took effect last month, but goes further, allowing consumers to opt out of their data being shared instead of forcing them to opt in to continue using online services.”
For its part, The New York Times characterizes California’s new law as less “expansive” than the GDPR but “one of the most comprehensive in the United States.” However, Wired describes the new law as “adding to [the GDPR] in crucial ways.” In particular, Wired points to the fact that the GPDR requires opt-ins to collect and store data but in practice the opt-ins actually used do not give consumers a choice other than to opt-in in order to use the service; however, California’s law will prevent companies from denying service to consumers who opt out.
According to Tech Crunch, the key protections of California’s new law are requiring companies to comply with consumer requests to delete data, providing a new consumer right to opt out of data being sold without any sort of penalty being assessed, preserving for companies the right to provide “financial incentives” to collect data, and granting state authorities the right to fine companies for violations.
As you might expect, it is being reported that there were extensive corporate lobbying efforts employed by some prominent companies against the proposed legislation. The New York Times and USA Today are reporting that Google, Facebook, Verizon, Comcast and AT&T each contributed $200,000 to a committee opposing the ballot measure and that lobbyists are expecting businesses to pour between ten and a hundred million dollars into campaigns against the law over the next few months.
All in all, there seems to be a consensus that this legislation is going to have a tremendous impact on data privacy nationwide, despite its limited application to California and the fact that it may still be amended before it goes into effect in 2020.
As for the software industry, the worries about data privacy compliance now shift from Europe to California and potentially the other 49 states. Fortunately, the industry has two full years to prepare for the new California regulation.