California passes landmark data privacy act. GDPR for USA?

California passes landmark data privacy act. GDPR for USA?

The citizens of Silicon Valley have won round one of a battle against Google and Facebook, as California introduces new state data privacy laws, which may have to be adopted throughout the US. Chris Middleton examines the implications.

California legislators have passed a new data privacy act in the state, paving the way for a possible introduction of de facto data protection rules in the US.

The California Consumer Privacy Act of 2018 (CCPA) was passed unanimously last night (28 June), after the legislation was rushed through the state senate and assembly to prevent even tougher rules, backed by the signatures of more than 600,000 citizens, from being put before government. The deadline for withdrawing the tougher measures was yesterday, forcing the hand of legislators.

Facebook, Google, Comcast, AT&T, and Verizon were among companies lobbying against the act, which comes into effect in 2020. It’s likely that they and their supporters will now devote their efforts to watering down the legislation before it goes live.

What’s the significance?

As reported by Internet of Business yesterday, CCPA could bring sweeping changes to how technology companies both gather and monetise their customers’ data in the state.

While the rules will only apply to California citizens, their adoption is significant for three reasons. First, in 2017, California became the world’s fifth largest economy with a GDP of $2.47 trillion, overtaking the UK, according to federal data released in May.

Second, California is home to Silicon Valley and much of the US technology industry. Apple, Alphabet (Google), Intel, Facebook, Oracle,, Cisco, Uber, and NVIDIA are among the hundreds of tech companies headquartered in the state, while many more have presences in Silicon Valley.

That citizens in the state have backed strict data privacy laws sends a powerful message to the industry, in the wake of the Facebook/Cambridge Analytica scandal, and other corporate abuses or losses of customer data.

And third, the cost, complexity, and difficulty of maintaining a different set of privacy rules for California would make it impractical not to adopt the regulations nationally – or globally – especially if other states follow suit.

In short, from 2020 onwards, CCPA could create a de facto US standard on transparency in third-party data sharing, as well as on consumers’ right to restrict that sharing.

California dreams

California has a history of being in the vanguard of privacy legislation. In 1972, voters amended the state’s Constitution to include the legal and enforceable right to privacy as being among the “inalienable” rights of all citizens.

However, over the past quarter century, that right has been encroached on by the digital economy – ironically, led by companies in the state.

In November 2017, lawyers acting on behalf of the citizens of California wrote to the Attorney General, outlining proposals for a new consumer privacy act.

The draft legislation said, “The proliferation of personal information over which consumers lack control has limited Californians’ ability to properly protect and safeguard their privacy.

“Businesses use this personal information for their own purposes, including selling it to and sharing it with other businesses for their commercial purposes without your knowledge, discriminating against you based on price or service level, targeting you with ads, and compiling information about your location, habits, and preferences into an extensive electronic dossier on you.

“But it is difficult, and in many cases impossible, for you to monitor a business’s operations and prevent companies from selling your personal information. […] You should have the right to know what personal information businesses collect about you and your children and what they do with it, including to whom they sell it.”

Their proposed law entailed adding 15 clauses to the state’s Civil Code. The most significant ones for data-collecting organisations such as Facebook, Amazon, Google, and others, were:

  • The right to know what personal information is being collected
  • The right to know if personal information is sold or disclosed, and to whom
  • The right to say no to the sale of that personal information
  • The right to equal service and price (i.e. not to be discriminated against, based on that personal data).

More, the draft legislation’s definition of personal information was extremely broad, and included:

  • Identifiers such as name, address, IP address, email address, account name, social security number, passport number, and driving licence
  • Property records
  • Biometric data
  • Browsing history, interaction with advertisements, apps, or websites
  • Geolocation data
  • Audio, electronic, visual, thermal, olfactory, or similar information, including facial recognition
  • Psychometric data
  • Employment history
  • Inferences drawn from any of the information identified above
  • All of the above as applied to any minor children of the data subject.

However, the act that was passed yesterday is an amended version of the November draft, watering down some of the proposals. Most significantly, it includes an exception to the right to equal service, allowing companies to offer different levels of service depending on how customers interact with a site, app, or advertisement – the so-called ‘Spotify exception’.

Corporate support

While Facebook and Google believe that tougher privacy rules threaten their data- and advertising-based models, other US companies have recognised that change is essential.

Speaking to this journalist earlier this year, SugarCRM CEO Larry Augustin said he believed it was “inevitable” that the US would follow Europe’s lead with privacy legislation to rival GDPR, which came into effect last month.

He explained, “When you have the CEO of Facebook testifying on these issues in Congress, which makes all of the television and news, I’m not sure that self-regulation is going to be something that Congress will accept.

“Companies will certainly go down the self-regulation path, but I don’t think there’s a lot of trust for that right now.”

On 22 May, Microsoft corporate VP and deputy general counsel Julie Brill wrote a blog post saying, “We believe GDPR establishes important principles that are relevant globally. That’s why today we are announcing that we will extend the rights that are at the heart of GDPR to all of our consumer customers worldwide.”

Meanwhile on GDPR enforcement day, 25 May, Apple unveiled a new privacy portal allowing its customers to manage all of the data that they share with the company. At present, the service is limited to users in the EU, Switzerland, Norway, Iceland, and Liechtenstein, but – like Microsoft – Apple says that it will be available worldwide in the coming months.

The following week, CEO Marc Benioff said, “We need a national privacy law here in the United States that probably looks a lot like GDPR.”

In the same week, Aaron Levie, CEO of cloud collaboration provider Box, said, “I do think we need to be thinking about this on a global basis, for two reasons. One is to ensure that we don’t get lots of conflicting data privacy laws that make it really, really hard for a global internet to be able to persist. And the second is to be able to revoke data, to know exactly how it’s being used, to ensure it’s not going to parties that you haven’t given express permission for.”

So, citizens and a breakaway group of tech luminaries have won the first round. But how many of the act’s clauses will remain in 2020 may come down to the lobbying power of two powerful companies – and local employers – Google and Facebook, allied with the might of the telecommunications sector.

The next two years promise one thing: Silicon Valley will reveal its true colours in the battle ahead.

Internet of Business says

The new state – and perhaps US – rules are a fascinating proposition, as one of the key discussion points has been about how the practical upshot of GDPR has been some websites obliging visitors to opt into everything, sweeping aside the granularity of the rules with a simple ‘yes’ button.

California legislators see that as too weak a solution, so it is conceivable that some aspects of the incoming data protection rules will be stronger than in Europe.

Either way, the implications for the industry are intriguing, as AI, analytics, and automation flood into the sector, with the clause about inference from data being the critical element. Any organisations believing that they will simply be able to trawl reams of personal data to make predictions about their customers may soon find out otherwise.

But as with GDPR in Europe, canny organisations should see any incoming regulation as an opportunity and as a key competitive differentiator, and not as a threat to their business models. Unless their customers have been their real product all along.

• Editor’s note: This story contains elements from our earlier report, including some corrections to that story. Our original report has been amended with those corrections.