California Joins Europe in Fight for Online Privacy
(Bloomberg) -- Once again, the most populous U.S. state is moving ahead of the rest of the country in how it regulates big business. A sweeping privacy law that takes effect on Jan. 1 will give Californians new rights and powers to control their personal information. This will mean that on privacy, California has more in common with the European Union than with other U.S. states. Will any of them follow?
1. What will California’s law do?
The California Consumer Privacy Act limits how companies collect and make money from user data online. It gives consumers the right to ask a company what data it holds on them and to have that data deleted, as well as the right to opt out of the sale of personal information. Companies must establish methods for consumers to submit data requests and respond to them. Consumers have a limited right to sue over breaches of their data if a company fails to meet its security obligations; companies have a right to defend themselves by showing they corrected a data security failure. The law takes effect Jan. 1, but the attorney general’s office is still drafting regulations on compliance, so enforcement won’t begin until July 1.
2. What companies are affected?
Any company that does business in California and collects or holds the personal information of California residents, and has annual gross revenue of more than $25 million, buys or holds information on 50,000 or more consumers, or derives at least half its annual revenue from selling that information. That includes tech giants like Facebook, Twitter, Alphabet’s Google, and Amazon.com, big retailers such as Walmart, and thousands of other companies.
3. How much does California’s law resemble Europe’s?
Like the European Union’s General Data Protection Regulation, which took effect in 2018, California’s law gives individuals the right to access and delete their personal information. But their details vary (and compliance with one doesn’t equal compliance with the other). California consumers have stronger rights to opt out of information sharing. That’s because the EU law specifies five legal justifications that a company can cite in processing personal data without the user’s consent. The EU law covers all businesses that have data on people within the bloc, while the California law has thresholds for business activity and other exemptions before the law can apply. The two laws also differ on assessing penalties for violations.
4. What are the penalties?
The California law imposes fines of $2,500 to $7,500 for “intentional” violations, a modest sum that could add up quickly for companies that have data on thousands or even millions of consumers. (The state attorney general’s office has said it will be able to bring only a handful of cases per year against the most egregious offenders.) The EU law allows regulators to impose fines of up to 20 million euros ($22.3 million), or as much as 4% of a company’s global annual revenue, whichever is greater. The largest fine imposed so far in Europe was 50 million euros ($56 million) against Google by the French data protection authority for privacy violations. British Airways is facing a proposed fine by the U.K. of 183.4 million pounds ($244.5 million) for exposing the data of about 500,000 customers to computer hackers. The company has said it will appeal.
5. Why such concern over privacy?
Google, Facebook, and other companies that dominate online advertising can target consumers using data they’ve collected on their own or through third parties. Consumers don’t know what data the companies use or where they got it. There are worries about makers of smart speakers listening to household conversations without clearly explaining that some of these chats are reviewed by humans. There was political consultant Cambridge Analytica’s use of Facebook user data to attempt to influence the 2016 election on behalf of Donald Trump’s presidential campaign. And there are periodic reports of data breaches so big that they expose personal information of hundreds of millions of people.
6. Can companies accommodate one state’s higher standards?
Yes -- and many industries have had to have had to for decades. Just ask automakers, which long built lower-polluting vehicles to satisfy California’s toughest-in-the-nation limits. Under the Clean Air Act, the state has special authority to set its own more stringent requirements governing air pollution, turning California into a de facto policy-setter for the nation. Now tech firms, like the automakers before them, are pushing for a uniform federal law that would override state-specific standards such as California’s.
7. Will there be a federal law?
Many lawmakers and the tech industry agree in principle that a federal law on online privacy would be preferable to a patchwork of state laws. But progress on a nationwide law has stumbled, with lawmakers disagreeing over whether states should remain free to craft their own rules on top of the federal standard and whether consumers should be allowed to sue over violations. Prospects for a federal law in 2020 are low.
8. Will other states copy California?
According to Stateline, an initiative of The Pew Charitable Trusts, 24 U.S. states considered legislation on data privacy in 2019, and three -- Illinois, Maine and Nevada -- enacted new laws, though none are as sweeping as California’s. New York, Massachusetts, and Washington, among a handful of others, are likely to consider privacy legislation in 2020.
The Reference Shelf
- A fact sheet on California’s law.
- QuickTake explainers on privacy in the age of big tech, the GDPR and Europe’s lead role in policing the web.
- A look at the latest effort in Congress to move forward with a national law.
- The Future of Privacy Forum compared Europe’s GDPR and California’s CCPA.
- A running tally of the largest fines imposed under GDPR.
- The architect of the California law is plotting more initiatives on privacy.
©2019 Bloomberg L.P.