On the heels of the implementation of the General Data Protection Regulation (GDPR) in the EU and a number of data privacy scandals in the US comes the California Consumer Privacy Act of 2018 (AB 375). The law is enforceable on January 1, 2020, and makes sweeping changes to data privacy requirements for business in California. While we at SpotX certainly expected some form of privacy legislation in the US following the recent spate of data breaches and scandals, it is surprising how quickly this law was passed, especially since lawmakers didn’t have time to incorporate lessons learned from the choppy implementation of GDPR.
What is the purpose of the law?
The purpose is to expand existing privacy rights in California, to help you (the Californian consumer) “Own Your Personal Information, Control Your Personal Information, Secure Your Personal Information” and “Hold Big Corporations Accountable” (CA Privacy). According to the California Consumer Privacy Act website, the law gives Californians the following rights:
- Right to know all data collected by a business on you, twice a year, free of charge.
- Right to say no to the sale of your information.
- Information Security: Right to sue companies who collected your data, where that data was stolen or disclosed pursuant to an unauthorized data breach, if the company was careless or negligent about how it protected your data (i.e. if the data was unencrypted, un-redacted, or the company didn’t have reasonable security policies and procedures in place to protect it).
- Right to delete data you have posted.
- Right not to be discriminated against if you tell a company not to sell your personal information.
- Right to be informed of what categories of data will be collected about you prior to its collection/at point of collection, and to be informed of any changes to this collection.
- Mandated opt-in before sale of children’s information (under the age of 16).
- Right to know the categories of third parties with whom your data is shared
- Right to know the categories of sources of information from whom your data was acquired.
- Right to know the business or commercial purpose of collecting your information.
There are several caveats and confusing areas within the law that will need to be ironed out before the law can be reasonably implemented. For example, an analysis from Fast Company points out that “for people who don’t share data, the law prohibits discriminating, denying goods or services, charging different prices or rates, or providing a different level of quality [Section 1798.125 (a) (1)]. Then, it says that all those things are OK if they are ‘reasonably related to the value provided to the consumer by the consumer’s data.’” Without further clarification from regulators, we could see the type of discrimination the law hopes to avoid as companies use a “reasonably related” argument to justify withholding services in exchange for data.
How does the new law integrate with existing laws?
Additionally, an iApp analysis points out that the drafters of the law did not address any overlap or inconsistencies between existing law and the new law. Instead, the law simply says that in the case of a conflict, the strictest law will be used and that the new law “shall be liberally construed to effectuate its purposes.” This will certainly create confusion and uncertainty as businesses try to navigate the already complex California landscape.
Why did it pass so quickly?
News about the California Consumer Privacy Act came in a whirlwind in June, as it was introduced and signed into law within a matter of days. Why? After a series of high-profile privacy scandals, Cambridge Analytica and Equifax to name a few, a petition to hold a referendum as a California ballot initiative in November gained steam with over 600,000 signatures. A ballot initiative requires a 70% majority to amend and only modifications that “are consistent with and further the intent of this Act” are permitted. Unlike the ballot initiative, the type of law that actually passed only requires a simple majority to change, and is less strict in its privacy restrictions, and was, therefore, more palatable to all.
After much lobbying by the titans of the tech industry, the backers of the ballot initiative agreed to withdraw it in support of the law which passed soon after. So, by getting the legislation passed quickly, the legislature gave itself a lot more flexibility between the law’s passage and its enforcement date to fine-tune the law and remove some of the ambiguity it has caused.
This is our blog first post on the California Privacy Act. We will cover more details and its specific effects on ad tech in future posts, so stay tuned.
Eric Shiffman, Product Marketing Manager