Editor’s note: The legislation referred to in this story has now been passed. To read our latest report on California’s new data privacy rules, please go here.
The US state of California could be about to introduce GDPR-style data privacy laws.
The state legislature is set to vote later today (Thursday 28 June) on the proposed California Consumer Privacy Act of 2018 (CCPA). The new online privacy rules could bring sweeping changes to how technology companies both gather and monetise their customers’ data in the state.
The act has been rushed into the state senate and assembly in order to block even tougher rules, supported by the signatures of 600,000 Californian citizens, from being considered. The deadline for withdrawing the tougher proposals is tonight, forcing legislators to vote on the issue.
While the rules would only apply to California citizens, their adoption would be significant for a number of reasons. First, in 2017, California became the world’s fifth largest economy with a GDP of $2.47 trillion, overtaking the UK, according to federal data released in May.
Second, California is home to Silicon Valley and much of the US technology industry. Apple, Alphabet (Google), Intel, Facebook, Oracle, Salesforce.com, Cisco, Uber, and NVIDIA are among the hundreds of tech companies headquartered in the state, while many more have presences in Silicon Valley.
And third, the cost, complexity, and difficulty of maintaining a different set of privacy rules for California would make it impractical not to adopt the regulations nationally – or globally – especially if other states decide to follow suit.
So if adopted, the rules could create a de facto US standard on transparency in third-party data sharing, as well as on consumers’ right to restrict that data sharing.
California has a history of being in the vanguard of privacy legislation. In 1972, voters amended the state’s Constitution to include the legal and enforceable right to privacy as being among the “inalienable” rights of all citizens.
However, over the past quarter century, that right has been encroached on by the digital economy – ironically, often by companies based in the state.
In November 2017, lawyers acting on behalf of citizens in the state wrote to the Attorney General, outlining proposals for a new consumer privacy act.
The draft legislation said, “Many businesses collect personal information from California consumers using hundreds of tracking and collection devices. They not only know where you live and how many children you have, but also how fast you drive, your personality, sleep habits, biometric and health information, financial information, current location, and social networks, to name just a few categories. California law has not kept pace with these developments.
“The proliferation of personal information over which consumers lack control has limited Californians’ ability to properly protect and safeguard their privacy,” continued the statement.
“Businesses use this personal information for their own purposes, including selling it to and sharing it with other businesses for their commercial purposes without your knowledge, discriminating against you based on price or service level, targeting you with ads, and compiling information about your location, habits, and preferences into an extensive electronic dossier on you.
“Some businesses fail to take adequate precautions to protect this personal information from security breaches and identity theft, putting your privacy at risk. Often, you may not even know that these records exist, or you cannot determine who has access to them or to whom they are being sold or with whom they are being shared.
“At the same time, you are in a position of relative dependence on businesses that collect your information. It is almost impossible to apply for a job, raise a child, drive a car, or make an appointment without sharing your personal information.
“But it is difficult, and in many cases impossible, for you to monitor a business’s operations and prevent companies from selling your personal information. […] You should have the right to know what personal information businesses collect about you and your children and what they do with it, including to whom they sell it.”
What the rules say
Their proposed law entailed adding 15 new clauses to the state’s Civil Code. The most significant ones for data-collecting organisations such as Facebook, Amazon, Google, and others, were:
- The right to know what personal information is being collected
- The right to know if personal information is sold or disclosed, and to whom
- The right to say no to the sale of that personal information
- The right to equal service and price (i.e. not to be discriminated against, based on that personal data).
More, the draft legislation’s definition of personal information was extremely broad, and included:
- Identifiers such as name, address, IP address, email address, account name, social security number, passport number, and driving licence
- Property records
- Biometric data
- Browsing history, interaction with advertisements, apps, or websites
- Geolocation data
- Audio, electronic, visual, thermal, olfactory, or similar information, meaning that it covers facial recognition
- Psychometric data
- Employment history
- Inferences drawn from any of the information identified above
- All of the above as applied to any minor children of the data subject.
However, the act that is before legislators today is an amended version of the November draft, watering down some of the proposals. Most significantly, it includes exceptions to the right to equal service, allowing companies to offer different levels of service depending on how customers interact with a site, app, or advertisement – the so-called ‘Spotify exception’.
All forms of the legislation have been opposed by Facebook and Google, along with communications giants Comcast, AT&T, and Verizon. The five companies created a $1 million fund to fight CCPA.
The new European
When the General Data Protection Regulation (GDPR) was first discussed in Europe, it was as a hedge against American technology dominance, and some in the US criticised European policymakers for trying to stifle innovation and success with unnecessary red tape.
But much has changed since then. Indeed, for its proponents, the timing of the California proposal couldn’t be better, with increasing alarm being voiced in the US about the extent to which data gathering and corporate surveillance have begun to dominate everyone’s lives, with few checks and balances in place to prevent technology’s abuse.
Facebook CEO Mark Zuckerberg’s appearance before US Congress in April was the tipping point for many, because it took the story into every family’s home and made it relevant to them personally.
But there have been other stories apart from Cambridge Analytica: mass data breaches, the American Civil Liberties Union’s (ACLU) recent complaint to Amazon about sales of its real-time facial recognition systems to police, concerns over smart speakers spying on customers, protests over the use of Google’s AI technology in drone surveillance programmes, and more.
Time to change
A number of US companies have already read the runes of the market and recognised that something has to change; the balance of power has shifted too far. Speaking to this journalist earlier this year, SugarCRM CEO Larry Augustin said he believed it was “inevitable” that the US would follow Europe’s lead with privacy legislation of its own.
He explained, “When you have the CEO of Facebook testifying on these issues in Congress, which makes all of the television and news, I’m not sure that self-regulation is going to be something that Congress will accept.
“Companies will certainly go down the self-regulation path, but I don’t think there’s a lot of trust for that right now. There have been too many incidents.”
On 22 May, Microsoft corporate VP and deputy general counsel Julie Brill wrote a blog post saying, “We believe GDPR establishes important principles that are relevant globally. That’s why today we are announcing that we will extend the rights that are at the heart of GDPR to all of our consumer customers worldwide.”
Meanwhile on GDPR enforcement day, 25 May, Apple unveiled a new privacy portal allowing its customers to manage all of the data that they share with the company. At present, the service is limited to users in the EU, Switzerland, Norway, Iceland, and Liechtenstein, but – like Microsoft – Apple says that it will be available worldwide in the coming months.
The following week, Salesforce.com CEO Marc Benioff said, “We need a national privacy law here in the United States that probably looks a lot like GDPR.”
He added, “I think the Europeans with GDPR have really flipped the coin, especially in advertising, but in another areas, saying, ‘Hey, this data belongs to the consumer or to the customers, you guys have to pivot back to the consumer, you have to pivot back to the customer’.”
In the same week, Aaron Levie, CEO of cloud collaboration provider Box, said, “It’s actually really important that the EU acted and the GDPR decision I think was quite timely.
“I do think we need to be thinking about this on a global basis, for two reasons. One is to ensure that we don’t get lots of conflicting data privacy laws that make it really, really hard for a global internet to be able to persist. And the second is to be able to revoke data, to know exactly how it’s being used, to ensure it’s not going to parties that you haven’t given express permission for.”
So with some of the industry’s loudest voices expressing their support for change, the US could be about to follow Europe’s lead – unlikely though that may seem in the current political climate. But all of the supporting voices are singing from the same hymn sheet, the one that says, “We’re not Facebook or Google.”
Internet of Business says
Even if the new rules are not accepted in California this week, it’s clear that there is growing recognition in the US that too much power has been passed to too many private organisations, with too little protection for citizens against the data-led onslaught.
The implications for the industry are intriguing, as AI, analytics, and automation flood into the sector, with the clause about inference from data being the critical element. Any organisations believing that they will simply be able to trawl reams of personal data to make predictions about customers may soon find out otherwise.
But as with GDPR in Europe, canny organisations should see any incoming regulation as an opportunity and a key competitive differentiator, and not as a threat to their business models. Unless their customers have been their real product all along.
• For more up-to-date coverage on this story, see our latest news report.