In June, California governor Jerry Brown signed into law the California Consumer Privacy Act of 2018, marking the most significant data privacy regulation in the United States to date. The Act, codified as AB 375, won’t come into effect until January 1, 2020. But already, some in the tech world are likening the new law to the EU’s recently passed GDPR. So, is this GDPR in the US? Let’s take a look.
Californians for Data Privacy, the campaign behind AB 375, was founded by Alistair Mactaggart, former President of The Emerald Fund, the largest residential developer in San Francisco. In a letter published on the campaign’s site, Mactaggart describes a conversation with a Google engineer, who told him in 2015, “If people just understood how much we knew about them, they’d be really worried.” Conversations like these, and the spate of major data breaches involving Facebook, Equifax, and others, inspired Mactaggart to invest several million dollars to make data privacy legislation a reality in California.
Tech companies rallied against the new legislation. The Internet Association, a lobbying group representing tech giants including Facebook, Google, Uber, Amazon, and Microsoft, said in a statement after the act passed, “Data regulation policy is complex and impacts every sector of the economy, including the internet industry. That makes the lack of public discussion and process surrounding this far-reaching bill even more concerning.”
Compared to the several-hundred-page GDPR, AB 375 is a measly 10,000 words. That’s because many details about the act’s implementation have yet to be worked out, something that supporters promise will be done before it comes into effect. Eventually, California’s Attorney General will be behind much of AB 375’s enforcement, which includes deciding when companies or individuals will be prosecuted in response to violations of the act.
The act’s key subjects are defined as follows:
Companies: For-profit organizations that meet one or more of the following three criteria:
- Annual gross revenues in excess of $25 million.
- Annually buys, receives, sells, or shares for commercial purposes, information of 50,000 or more consumers, households, or devices.
- Derives 50% or more of its annual revenues from selling consumers’ personal information.
Consumer: A “natural person” that’s a California resident.
The act’s key provisions for consumers are:
- Consumers will have the right to know what sort of data companies have on them, and the purposes for which it’s used. They can also require companies to delete their data, and/or cease the sale of their data.
- Companies that collect data on Californians will have to disclose their right to ask for the deletion of their data, and to opt-out of its sale. They also must disclose what kind of data they’re collecting, and to whom it’s distributed or sold.
- Consumers will have the right to sue companies that use their data illegally. They can also sue if their data is stolen in a breach affecting a company. In class action suits, companies are liable for up to $750 per consumer.
- Companies cannot sell the data of individuals under 16 years of age without explicit (opt-in) consent from the consumer (if they’re over 13) or their parent or guardian.
Those familiar with the EU’s General Data Protection Regulation, which went into effect in May, will see immediate parallels regarding the rights of consumers (or “data subjects” as GDPR puts them) to know what information is being collected on them and how it’s being used.
Beyond that, the acts have some marked differences. Generally speaking, GDPR is more comprehensive, offering consumers additional rights like the “right to be forgotten” and the right to not be subject to decisions made by automated systems. Additionally, the GDPR is more restrictive in terms of what companies can and cannot do. The California Consumer Privacy Act of 2018, as its name would suggest, is more a consumer-centric act, focusing mostly on Californians’ rights to understand and control their data.
Notably, the two laws have different approaches when it comes to consumer consent. In most cases, AB 375 simply requires that companies give consumers the option to “opt-out” of data collection or sale (unless the subject is under 16). GDPR takes a stricter approach, requiring that companies receive explicit “opt-in” consent before doing certain things with data.
The most important thing to realize is that compliance with GDPR will not assure compliance with AB 375. This will present a major headache for companies subject to both pieces of legislation, as they try to navigate the requirements of both. One approach may be to try to segment data collection and disclosures based on users’ IP addresses, offering different experiences to California IP addresses, EU IP addresses, and everybody else. Of course, such an approach only goes so far, as an IP address isn’t always a perfect indicator of a user’s location.
For now, tech professionals ought to remain aware of updates and refinements to AB 375, particularly pertaining to how the law will be enforced beginning in 2020. And even for companies that aren’t subject to the law, it’s time to start discussing compliance strategies. Supporters of AB 375 say it will lead the way for future privacy legislation in the US. There’s a very good chance they’ll be proven right.