Skip to content
Data & Integrations Regulations

First Look: The California Consumer Privacy Act

Will it become a legislative model for the rest of the country? It may not matter

California often leads the way in the United States: culturally, politically, and economically. The three regularly intermingle, and typically defy attempts at tidy separation. The Golden State is leading the way once again, this time on the burgeoning issue of consumer data privacy.

California has just passed a sweeping data-privacy bill that could end up being a legislative template for the rest of the nation: the California Consumer Privacy Act. This in the state that’s ground zero for the tech industry, the most powerful industry on the planet, many members of which survive and thrive on the collection and sale of the kind of data this legislation goes a long way in restricting the commercial use of. 

Power to the people, almost
AB-375, the act’s legislative identifier, was signed by Governor Jerry Brown on June 28. It was introduced only about a week before that. Legislatures are not typically known for speed of action. Why the rush? And why did Big Tech give its blessing?

A ballot initiative was in the works, scheduled to be put before the voters of California in November. Had it passed, it would have been much more restrictive than what was offered in the bill. As such, the bill was viewed by the tech industry as the lesser of two evils, and was acceptable enough to the man behind the ballot initiative—San Francisco real estate developer Alistair Mactaggart—to withdraw it.

Per the act’s official website, the California Consumer Privacy Act gives California citizens ownership of their personal data, control of their personal data, and reassurance regarding the safety of that data. Specifically, Californians will now have the right to:

  • Delete their data.
  • Say no to the sale of their data.
  • Know all the data collected on them by a business.
  • Know the commercial purpose of collecting their data.
  • Know the third parties with whom their data is shared.
  • Know what categories of data will be collected prior to collection.

If you’ve been paying attention lately, this should all sound familiar. A similarly comprehensive data-privacy act just went into effect in Europe at the end of May: the General Data Protection Regulation, or GDPR. It too empowers consumers in the area of personal data, and puts the onus on companies to not just protect that data but to be very clear about why they need it at all.

Curb your enthusiasm
But for all the self-congratulatory exhortations on the act’s website, it’s important to understand that this isn’t the end of the story. The act goes into effect in 2020. Amendments are possible and are, in fact, very likely. Big Tech may have overall supported this bill, but only because it viewed the alternative as much worse. Expect the industry to do what it can to water AB-375 down. A statement by Robert Callahan of the Internet Association is a good indicator of what Big Tech really thinks about AB-375:

“Data regulation policy is complex and impacts every sector of the economy, including the internet industry. That makes the lack of public discussion and process surrounding this far-reaching bill even more concerning … It is critical going forward that policymakers work to correct the inevitable, negative policy and compliance ramifications this last-minute deal will create for California’s consumers and businesses alike.”

Members of the Internet Association include Amazon.com, Ebay, Facebook, Google, Netflix, and Twitter. Though it should be noted that Facebook has publicly come out in support of the bill. In the wake of the Cambridge Analytica/Facebook scandal—likely a driving factor behind the sudden awakening on Americans’ part regarding data privacy—this is no surprise.

The California Consumer Privacy Act will be enforced by the Attorney General of the State of California. The AG will be able to fine companies that don’t properly protect personal data. Businesses that must comply with the act include:
 

  • Those that earn $50,000,000 a year or more in revenue.
  • Those that sell 100,000 consumer records each year.
  • Those that derive 50% of their revenue by selling personal data.
  • Those that collect or sell any Californian’s personal data, no matter where in the world that business is located.

That final bullet is very GDPR-esque. Currently in Europe, any company that has any interaction with the personal data of any EU citizen, no matter where in the world that company is based or where it does its work, is subject to the strictures of the GDPR.

Something new from the old country
With most of Big Tech headquartered in the Golden State, whatever changes are needed to suit the nearly 40 million people living there will simply be applied to the rest of the country. It’s unlikely a Google or Facebook will want to section out it’s data collection and sales operations on a California vs. non-California basis. In this regard, the California Consumer Privacy Act is the country’s de facto data-privacy legislation already.

But if other states, or the federal government, do decide to tackle the issue of consumer data privacy at the legislative level, AB-375 will almost certainly be the model. As per usual, the rest of the nation looks to California on many complex and controversial issues of the day, even as California is looking to Europe on this one.