California Adopts Tough New Data Laws as GDPR Ripple Effect Spreads


A month into the introduction of the European Union’s General Data Protection Regulation, the much-expected chain reaction has begun, with the state of California passing its own strict set of rules.

The California Consumer Privacy ActOpens a new window approved last week gives individuals far-reaching powers over their personal data. Consumers will have the right to find out what data technology companies including Facebook and Google are collecting about them, with whom the companies are sharing the data and what they plan to do with it.

They will be able to stop companies from selling their data, though businesses are allowed to “share” data with their partners. Companies will also be able to charge higher prices to consumers who opt out of data selling.

The Dawn of Policy Standardization?

Significantly, the legislation gives California’s attorney general the power to fine companies that fail to comply. While it applies only to dealings in California, the rules are widely expected to become a default for privacy across the US as companies standardize their policies, rather than adapt to each state’s different requirements. This ripple effect is similar to that of the GDPR, which is rapidly becoming the blueprint for privacy standards for multinational businesses.

While the California act is less stringent than the GDPR, it is tougher than any existing rules in the US. However, they are not scheduled to come into effect until 2020, giving politicians two years to debate, change and possibly water them down.

Legislators hurried the bill through to avoid a ballot initiative on data protection, which could have led to even more draconian privacy measures. The call for a ballot on toughening up the state’s data rules followed the recent scandal involving political consultancy firm Cambridge Analytica, which collected personally-identifiable data about tens of millions of Facebook users without their knowledge. As a result, consumers are increasingly suspicious about how tech giants collect and use their data and are fearful of their data being manipulated by unknown third parties.

A New Global Benchmark

The tech giants are facing a double-pronged attack on their ability to monetize data. The GDPR has led countries across the globe to re-examine their own data laws and attempt to bring them more into line with European rules. Any business that targets EU consumers must comply with the law, regardless of where it is based. The need to comply with EU trade rules effectively makes the GDPR the benchmark for global corporations and obliges much of the world to follow suit.

Other countries are ready to change their own privacy laws to ensure their companies can demonstrate the “data adequacy” required to work with European businesses. This will permit them to process European data through local server farms, call centers and tracking technology, which can provide a considerable boost to the national economy. Countries including Japan, Singapore and South Africa are undertaking revision of their data legislation to make it GDPR-compatible.

The Autumn of Data Harvesting

However, the US has tended to take its own approach to data legislation. Privacy is not a feature of the US Constitution, and is not deemed a fundamental right. There are specific federal laws for different sectors such as the Children’s Online Protection Act and Health Insurance Portability and Accountability Act, but each state makes its own legislation and has its own definition of a data breach.

The US negotiated a deal with the EU in 2000 to facilitate data processing known as Safe Harbor principles, replaced in 2015 with the Privacy Shield framework, following the leak by Edward Snowden of documents revealing that the National Security Agency was collecting private data.

California’s legislation is a significant development in the state which is home to Silicon Valley and global tech giants including Google, Facebook and Uber that are among the world’s biggest harvesters of data. The new law represents a further restriction on the easy access to personal data enjoyed until recently by the technology industry, and that arguably has contributed to its rapid growth.

The act appears to signal an end to the initial, unregulated phase of the data economy. Europe’s GDPR has set the ball rolling and is likely to become a de facto standard for privacy across the world. For data-driven companies, doing business will become a little bit tougher from now on.