Despite a monumental build up, the EU GDPR may not have made quite the splash the industry expected – it rather depends on who you ask. However, what it has done, is set the wheels in motion for other countries, such as Brazil, to adopt similar legislation. One in particular, which is starting to take data privacy very seriously, is the U.S. Multiple states have started updating their consumer privacy acts, and the state of California, the home of ad tech, has taken it one step further. Writing exclusively for ExchangeWire, Vincent Potier (pictured below), founder, London Digital Ventures, and data protection legislation consultant, explains why the California Consumer Protection Act (CCPA) is the most ambitious piece of data protection legislation to hit the U.S.
The man who knew too much
It reads like the opening of a Hollywood movie. The story goes: a few years ago, a San Francisco real estate developer had a casual chat with an engineer from a large internet company, who brags about everything he knows about everyone, thanks to the data collected by the company he works for. The real estate developer suddenly realises the extent of the data problem that we, as a fast-changing digital society, are faced with. Yes, the internet has fostered 20 years of runaway innovation, and tons of free services that we have grown accustomed to and become dependent on, but this comes at a price: our data privacy. The proliferation of data that we give away freely means that some companies know everything about us. Frankly, is that acceptable? Is it normal not to care? Or is it just plain foolish? And is it sustainable in a free society?
The CCPA genesis
The biggest data privacy initiative ever to hit the United States came from an unlikely trio: a real estate developer, a former CIA analyst, and a finance executive. Together they worked on what came to be known as the 'California ballot initiative'.
What is it? California law lets you put such initiatives on the electoral ballot for the next election, and requires a minimum of 366,000 signatures to be certified by state officials. By May 2018, they had already received over 600,000 signatures and were getting ready for an arduous campaign come November when, prior to the ballot ‘deadline’, they were approached by state legislators – coincidentally, not long after GDPR was implemented in Europe (25 May, 2018). Acknowledging that ballot initiatives can be a cumbersome way to make policy on such complex subjects as data privacy, they sat down with the legislators. “Here is the deal”, the lawmakers must have said to the privacy activists. “Take your initiative down and we will pass a law within the next few days.”
And so they did. The bill (AB-375) was discussed with the original proponents of the initiative, negotiated, voted for unanimously on 28 June 2018, and signed into law by Governor Jerry Brown the very same day. So, what’s this law about and why is it so important?
What’s all the fuss about?
Firstly, it is by far the most ambitious and comprehensive piece of data privacy legislation ever to hit the United States.
Secondly, it was undoubtedly influenced by the GDPR and its extraterritorial nature, whose bold stance has not ceased to surprise the U.S. market.
Thirdly, the pressure was mounting: after the GDPR implementation date on 25 May 2018, Vermont passed its data brokers bill on 27 May 2018, and Colorado updated its consumer data protection legislation with the adoption into law of HB-1128. Then, four weeks later, it was down to California.
So, what is the CCPA about? It has three major components:
1. It gives consumers the ability to ask companies to disclose what data has been collected and sold about them.
2. It gives consumers the right to request that companies stop selling their data.
3. It sets more stringent standards for data security.
The scope applies to companies doing business in the state of California that are for profit; that determine the means and the purposes of the processing (equivalent of the 'controller' under GDPR); and of course that collect consumer personal information, but it does not impact everyone. To fall under the scope, the company needs to have a minimum of USD$25m (£19.5m) in annual revenues, or sell the information of a minimum 50,000 consumers.
Interestingly, the definition of personal information marks a clear break with the 1974 U.S. Privacy Act (remember, that good old PII) and might go beyond the GDPR; for example by including inferences drawn from the personal data (aptitudes, predispositions, etc.) in a way that seems broader than the GDPR.
The CCPA creates four basic rights:
1. The right to know what personal information a business has about you.
2. The right to delete personal information that a business has collected about you.
3. The right to opt out of the sale of your personal information.
4. The right to receive equal service and pricing from a business (with some important exceptions).
As for penalties, although the numbers don’t look like the €20m (£18m) quoted in the GDPR, the fines are cited per individual, and are mainly linked to data breaches, and failure to comply with consumers’ requests (yes, consumers, not data subjects). For example, businesses that fail to correct alleged violations within 30 days will be subject to a fine of USD$7,500 (£5,847) per violation. And for data breaches, it can be up to USD$750 (£585) per user. If you have a breach affecting one billion user IDs, just you do the maths on what that could cost violating businesses.
The GDPR is broader than the CPPA in many aspects, but there are a lot of similarities and overlaps. This means that companies that went through the process of complying with GDPR will find it easier to comply with the CCPA. When you read the 31-page legislation, it really can at times feel like ‘GDPR-lite’. There are also many differences. Some examples: CCPA does not focus so much on consent and consent mechanisms, but rather offers financial incentives for the consumer for the collection and sale of their personal information, and imposes more rigid restrictions on data sharing for commercial purposes.
A view into the future
Because of the deadline, the law was drafted quickly. It means that no one is happy: company lobbyists feel it went too far and privacy activists feel it did not go far enough. Both parties have between August 2018 and August 2019 to push for their amendments, i.e. strengthen the law or soften it. The law will come into force on 1 January, 2020. Now it is very clear that the federal government does not want a patchwork of data privacy legislation to pepper the United States. So, expect Congress or the FTC to make some noise very soon. Let’s see whether they’d want to bring the GDPR too.
Anyway, the key takeaway for global companies is that the GDPR, often dismissed as the exception a year ago, is likely to become the norm the world over. The most impressive outcome of the GDPR to date is the influence it has had on data protection of so many countries, including the U.S. And this is just the beginning…