On June 28, 2018, the California Consumer Privacy Act of 2018 (also known as AB 375) was passed through the legislature and signed by Governor Jerry Brown[1]. AB 375 is amongst the first law of its kind in the United States and puts California ahead of the nation on consumer protections. This law was inspired by the massive data breach of Facebook via the data analysis firm Cambridge Analytica [2].
Since the revelation of how vulnerable consumer data is through mainstream sites, and how those sites profit from selling that data to third parties, the concern of privacy has shifted from government to the private sector. Facebook, along with other large internet firms have made public statements to reassure patrons that data security is a priority, however, we may see more states forcing firms to honor their commitment.
Supporters of this measure believe that these consumer safeguards will reduce the damage of data breaches which, in turn, disincentivizes the practice. Detractors (primarily large tech companies and their lobbying organizations) believe that creating these regulations on the use of data will decrease their revenue and inhibit their hiring capabilities in major operating hubs [3]. Additionally, there is the possibility that if a large portion of users elect to keep their data private, websites won’t be able to align users with preferences based on that data. This loss of efficiency could create a domino effect reducing purchases and revenues for a myriad of industries. The vendetta here is whether this bill is usefully protective vs. uselessly prohibitive. Giving consumers access to their data and the right to decide if it can be gathered or not will boost user confidence, but if their experience encourages them to leave certain sites then does the measure produce more harm than good? And what if internet firms simply make data access a mandatory requisite for use?
AB 375 has 4 primary privileges for Californians:
- Californians have the right to see what data businesses collect from them.
- Request that any data collected by deleted
- Request information on the type of firms their data is sold to
- Demand that businesses refrain from selling their data
No other state offers consumers such access and control over their data. A similar policy in the European Union was implemented in May of this year called the ‘General Data Protection Regulation’ [4]. This plan mandates that data collectors and processors pseudonymize or anonymize user information for maximal identity protection. This regulation also states that data collectors may only collect data if there is a legal reason to do so. Though not quite as intensive, the CCPA is a decisive move for legislators in the realm of privacy policy.
Those who believe the CCPA is productive policy agree that
- The law protects consumers
- Provides much needed transparency
- Reduces the magnitude of future data breaches
- Bolster consumer confidence
Those who believe the CCPA is prohibitive agree that
- The law negatively affects business models
- Will unnecessarily reduce revenue
- Will degrade user experience
- Will inhibit company growth
In light of the Cambridge Analytica scandal, and other large data breaches, such as that of Experian and consumer retail chains, there needs to be some form of insolation. Protection notwithstanding, a large portion of California’s immense wealth, employment base, and ability to attract monetary and intellectual capital lies in the technological sector; which means the state can’t afford to bite the hand that feeds. If the law is passed it will cost data collectors, and many other businesses, to conform to the new requirements and there is the possibility that money from data sales will dry up entirely if consumers decide en mass that they don’t want their data sold. Making data acquisition a requirement for use of a service would invite legal challenges which could invalidate the effectiveness of the bill. The bill is set to become effective January 1, 2020, and lobbyists for Big Tech plan on having amendments made to the final version. Final resolutions will be made behind closed doors, over meals, and hearings in Sacramento.
In order to placate the forces fueling California while simultaneously giving consumers the protection they deserve, the CCPA should maintain its current policy positions but allow a grace period of 60 days to process all consumer requests that will inevitably be made. Measures should also be taken to insulate the major firms from retroactive litigation if consumers should object past uses of their data. The next two years will beget a lengthy and internecine debate from the halls of Silicon Valley to the steps of California’s own capital. Will California be a trendsetter or a lone wolf in the developing area of privacy law?
Take Action:
Curious about the current state of the legislation? Follow this website- https://caprivacy.org/updates
Want to read the whole bill word for word? Take a look- http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180AB375
Want to see some direct news coverage of the law? Look here- https://youtube.com/watch?v=PFdh1J_9zlM
Want a more in depth analysis of the bill? Look here- https://iapp.org/news/a/analysis-the-california-consumer-privacy-act-of-2018/
References:
- “California passes consumer protection, online privacy law”, Jurist, accessed July 22, 2018. https://www.jurist.org/news/2018/06/california-passes-consumer-protection-online-privacy-law-done/
- “Facebook-Cambridge Analytica data scandal”, Wikipedia, accessed July 22, 2018. https://en.wikipedia.org/wiki/Facebook–Cambridge_Analytica_data_scandal
- “California Unanimously Passes Historic Privacy Bill”, Wired, accessed July 22, 2018. https://www.wired.com/story/california-unanimously-passes-historic-privacy-bill/
- “General Data Protection Regulation”, Wikipedia, accessed July 22, 2018. https://en.wikipedia.org/wiki/General_Data_Protection_Regulation