Paradigm Shift in Data Privacy: California Follows GDPR’s Suit With AB 375
On June 28th, California’s governor Jerry Brown has signed the California Consumer Privacy Act of 2018 (AB 375) into law. The document itself is a 68 pages long paper on what rights consumers have in regard of their personal data, and what businesses should do with them.
The law obviously echoes Europe’s GDPR in many aspects, however, it also takes some of its provisions even further. Still, while the GDPR was widely discussed for years before its enactment, the California law will become effective on the first day of 2020, so there’s almost year and a half for local companies to prepare themselves for the new regulations.
So, what could this mean for local businesses? And, more importantly, considering the recent emergence of the GDPR, what is this new data-treatment trend actually about?
Data Transparency and Access Requirements
Just like the GDPR, California’s brand new AB 375 obliges businesses to tell users what categories of private data (IP addresses, network activity information, personal identifiers, geolocation etc.) are to be collected and for what purpose. Logically, when requested, a business has to disclose the actual sets of data it has collected from the user who made the request, as well the list of categories the data falls into, the sources of said data, and the commercial purposes it was used for. In addition to that, AB 375 requires businesses to inform users about their right to ask the company to remove the personal data it has collected.
It looks hardly dissimilar from a similar provision in the GDPR, however, there are differences when it comes to the sale of personal data to third parties. Thus, AB 375 states that a business should also tell its users that their personal data may be sold and allow them to choose if they want their data to be treated that way. For that matter, a company’s homepage should offer a “Do Not Sell My Personal Information” button leading to the respective section of the privacy policy.
Data Removal and Portability
Again, exactly like the EU’s GDPR, the California Consumer Privacy Act entitles local users to demand the removal of their personal data collected by a certain business. Basically, it is similar to “the right to be forgotten” that had existed in the EU long before the GDPR was even drafted.
Apart from removal, a user can request their data in a useable and portable package that can be easily handed over to another company or service. This may be of use for those who are thinking about moving from Facebook to MySpace, but weren’t amazed by the idea of manually filling up a whole new profile for themselves and advertisers to enjoy.
Collection of Deidentified Data and Opt-Out Approach
As implied by the transparency requirements mentioned above, AB 375 entitles users to opt-out of the sale of their personal data to third parties. The third party, in turn, isn’t allowed to sell personal data unless the user in question has been notified and offered to opt-out of the sale. By comparison, Article 18 of the GDPR allows users to withdraw their consent for data processing under certain conditions, such as when the accuracy of the data in question are contested, or if the data are being processed unlawfully. However, the Article doesn’t explicitly address the sale of personal data.
It is important, however, that a business is free to collect, store, process, and transfer aggregate data they are deidentified. To clarify, the document defines “aggregate consumer’s information” as the information about a group or a category of users that isn’t linked to individuals’ identities, households, or particular devices. Deidentified, similarly, means that the information in question can’t be directly or indirectly tracked back to the actual person.
Financial Incentives and Penalties
Unlike the GDPR, the California Consumer Privacy Act allows businesses to offer their users certain financial benefits in exchange for the user’s consent to collection and processing their personal information. The Act also prohibits businesses from discriminating against those who hasn’t given their consent.
As for the ways of discouraging, AB 375 prescribes a fine of up to $7,500 for each case of violation. While the amount may seem quite small for a giant corporation, it still may get quite hefty if the company gets caught with unlawfully collected data on millions of users.
Respectively, the GDPR distinguishes lower and upper level violations. The former imply fines of up to €10 million or up to 2% of the total worldwide annual turnover of the company. The violations in question include things like processing personal data in the absence of relevant certificates, or processing the data that are not required for the initially stated purposes.
Upper level violations imply fines of up to €20 million or up to 4% of the total worldwide annual turnover of the company. Those violations include, among others, non-compliance with the supervising authority; violations of data subjects’ rights; and insufficient disclosure of the required information.
Conclusion
While the California Consumer Privacy Act shadows the GDPR in many regards, there are significant differences between them, most importantly in regard of financial incentives to share personal data.
The emergence of such laws probably highlights the new trend of personal data finally becoming a commonly recognized value. Back in the day, regular online users had to face the fact their personal data are beyond their reasonable control. In many cases, refusing to share data with websites was equal to refusing to visit those websites. Those data, however, are quite valuable as proved by the advertising industry. Given the recent scandals involving Facebook, Cambridge Analytica, and numerous tech companies that used personal data of other people like their own property, there is little surprise that data protection legislation started rapidly evolving. Now, users whose data are used for business purposes have to be directly involved in the process of data sharing.
With the California Privacy Act it has come to the brink of making the collection and use of personal data subject to mandatory payouts to those who provide their personal info. While the Act directly says that companies “may offer financial incentives” for collection of personal data, it seems quite possible that in the next few years this financial involvement of regular users in the data sharing market will become a commonplace.
Follow us on Twitter to stay tuned on the recent developments in regulation of new technologies, and be the first to read expert opinions.