At the end of June, California brought the West Coast a step closer to its version of GDPR. While the requirements of California's privacy bill and the European Union's General Data Protection Regulation (GDPR) differ, they are rooted in the same mission: protecting consumer data rights whether big tech likes it or not.
California Governor Jerry Brown signed The California Consumer Privacy Act of 2018 just before its deadline in June, and it will go into effect on Jan. 1, 2020. Echoing much of GDPR, the bill will "grant a consumer a right to request a business to disclose the categories and specific pieces of personal information" it collects and how they collect it, why they collect it and who they give the data to.
In many ways, California is America's incubator of the future and therefore sets things in motion to "become the national practice," Katie Hanzlick, press secretary for California Senator Robert Hertzberg, D, said in an interview with CIO Dive.
The Golden State's move is "leading the resistance," Hanzlick said. Hertzberg intends to discuss the momentum of the bill at the National Conference of State Legislatures at the end of the month.
Because California has one of the largest economies in the world and the largest in the United States, it definitely has a "reciprocal effect on other states," Peter Yeung, general counsel and VP for Episerver, told CIO Dive in an interview.
It is likely there will be a domino effect across the states, but no one will know when the federal government will move forward with a universal law. The current administration is moving to deregulate privacy policies, as seen in April 2017 when President Donald Trump signed a bill which nullified the Federal Communications Commission's "rule on privacy of customers of broadband" and telecom services, according the White House's announcement.
This isn't California's first rodeo
As early as 2003, not long after the dawn of the internet, California enacted the Online Privacy Protection Act, which required operators of commercial websites that collected consumer data to "conspicuously post a privacy policy" on the site, according to the law.
It's taken nearly two decades for other states to follow suit in terms of privacy and breach protections for consumers. A privacy bill like California's "simply takes the definition of what we've referred to as personally identifiable information and puts it on steroids," Fouad Khalil, head of compliance at SecurityScorecard, told CIO Dive, because "nothing is out of scope of breach notification."
It may be unfair to say California consumers are more tech and policy savvy just because of their geographical location. However, California legislators may be more in tune with the privacy needs of their constituents, Ken Stasiak, principal at RSM, told CIO Dive.
As far back as 2014, before the Equifax and Cambridge Analytica scandals, about 90% of Americans agreed that they "lost control" of how their data is collected and used by others, according to Pew Research.
The passage of the bill "is a natural evolution" from the notoriety of major data breaches and harvesting, said Stasiak. Still, until a sound federal law is in place, there will always be states missing their version of GDPR because "it's just a function of the partisan political environment we currently are experiencing," Stasiak said.
Tech isn't too happy about it
Prior to Brown signing the bill, Facebook, Google, Comcast, AT&T and Verizon together contributed $1 million in opposition to the Ballot Initiative that was set for a vote in November, according to the records of California's Secretary of State and Committee to Protect California Jobs sponsored by the California Chamber of Commerce.
Each company gave $200,000. However, Facebook changed its tune in April and voiced its desire to help policymakers shape the approach to privacy policies. Still, big tech companies that aren't resistant to compliance "definitely want a say in the argument," even if there is public resistance, said Yeung.
A privacy bill like California's "simply takes the definition of what we've referred to as personally identifiable information and puts it on steroids."
Fouad Khalil
Head of compliance at SecurityScorecard
"We support privacy laws that protect consumers and encourage innovation," said Katherine Williams, Google spokesperson, in an emailed statement to CIO Dive. But while the "law marks some improvements to an overly vague and broad ballot measure, it came together under extreme time pressure and imposes sweeping novel obligations on thousands of large and small businesses around the world, across every industry."
But some fear that companies are going to approach the legislation with actions that target and manipulate consumer actions online. "To camouflage 'compliance' with privacy, we have witnessed companies resort to dark patterns," according to Khalil.
"Dark patterns deprive users of control," which is a founding requirement of California's law. Companies pursuing such patterns are a reflection of their "desperate attempt" to maintain the status quo of data collection and sale to third parties, said Khalil.
Giving consumers the "illusion" of control was a false solution for many companies that effectively rebranded policies without changing the operations behind them to fully comply with GDPR.
Such patterns are seen in misdirection, which directs users to other applications through temptation. Checkboxes, another dark pattern, are the easiest ways for companies to obtain user data because people usually check them without second notice, according to Khalil.
Where does the US go from here
California is trying to arm consumers with rights give some of the power back to them while taking away some of the freedom of large corporations. The law, as currently written, applies to all companies who do business with California residents without having to be based in California. If these companies are going to be putting it into practice, they might as well apply a blanket policy for all consumers, according to Hanzlick.
"The law itself is a microcosm of California," said Yeung, and GDPR served as a temperature gauge for most American companies. In terms of compliance, many organizations used GDPR's May 25 deadline as the beginning of a conversation. California put that conversation on blast.
But with a law so close to home, companies may not have the choice anymore but to fully commit to the changing landscape of consumer privacies. The California Consumer Privacy Act of 2018 applies to any company doing business with California residents, making the workaround much more difficult for companies that were able to opt out of GDPR compliance.
No one can say how long it will take the rest of the U.S. to catch up to California, but "the rub is that most will have to abide by the more stringent state laws" because of the cost of developing a different model for states with lower privacy regulations, according to Stasiak.
