There’s a saying, “As California goes, so goes the nation.” And for good reason: It seems many of the laws and cultural norms we now take for granted originated in California. It’s like the state is America’s test lab.
Will we see another California initiative go national in the next decade? On the heels of the EU’s General Data Protection Regulation, California lawmakers passed a tough new privacy law, California Consumer Privacy Act, which is designed to give consumers more control over their personal information. Under the act, which goes into effect Jan. 1, 2020, consumers will be able to request details on how their personally identifiable information (PII) is used and how it is collected.
Personally, I’m surprised that a state passed privacy legislation so quickly after GDPR went live. Many security experts I spoke with either assumed that because so many businesses already had to implement GDPR compliance that it was unnecessary in the United States or government would take a wait-and-see approach. I expected the latter, considering other security and privacy initiatives have lingered in committees for years. However, according to The Hill, California’s legislature jumped on this bill to avoid a potential ballot initiative that was gaining steam.
The question now for California—and those state governments watching—is whether companies will embrace the California Consumer Privacy Act or will they find loopholes to skirt the law.
California’s tech companies, usually out on the front line of innovation and new ideas, are soundly against the state’s new privacy law. We shouldn’t be surprised, Willy Leichter, vice president of marketing at Virsec, said in an email comment, because it throws a wrench directly into their primary source of revenue: collecting and monetizing personal data.
“It’s very appealing to consumers that they can opt out of marketing lists and have their data deleted,” Leichter added. “However, it’s hard to conceive of how this can effectively work. Doing any business online requires sharing data, where it inevitably gets shared, leaked or shipped across borders. Good luck trying to opt out and retrieve all your personal data when it’s littered around the globe.”
And to tech companies, data is more valuable than gold, noted Terry Ray, chief technology officer at Imperva. It’s more like uranium—extremely valuable, yet radioactive. Controlling this flow of information is difficult for any type of organization, but especially for companies such as Google and Facebook, where the sharing of data is a prime commodity.
Tech companies are expected to fight for changes before the law goes into effect. The bill was pushed through too quickly, they say, and it is too vague. Yet, supporters of the bill point out, these same companies already have groundwork in place because of GDPR.
Will It Work?
As of this writing, GDPR has been in effect for just shy of two months, and yes, there are still data breaches, and we are still not sure how effective it will be in the long run. We should expect the same with the California regulation.
The key will be its implementation, said Justin Gold, chief operating officer at TrueVault. “If companies try to implement this policy and inform California residents through only dense Terms of Service agreements that are sent out over email or with one line pop-ups on their web pages, then this won’t actually solve anything other than paying lip service to solving a problem.”
As far as the impact this ruling may have on businesses, “This piece of legislation forces companies to re-think how they collect data in a way that will benefit everyone,” Gold added. “Specifically, this will force companies to switch from the old model of ‘collect as much data as possible and figure out how to use it later’ to one where each piece of data collected needs to be justified.”
Many large companies still have a long way to go in finishing the technical aspects of GDPR, and now California companies need to be ready for CCPA a year and a half later. “It may seem a big demand on organizations, but in reality, it shouldn’t be,” said Ray. “Most global organizations have already built the framework for these same requirements to meet GDPR over the last few years, so there are plenty of materials, processes and products available to assist California companies with these similar requirements. Whether it’s serendipitous or planned by California, following GDPR might have helped get organizations ready for CCPA.”