The recent introduction of the General Data Protection Regulation (GDPR) has done a lot to tackle issues surrounding business’ exploitation of personal data and has led to calls by some tech leaders for a similar legislative approach in the U.S. at a Federal Government level. Just last month, was created, promising similar rights for the State’s 40 million citizens as Europeans received with GDPR.
The hastily approved Act, which is due to come into effect on Jan. 1, 2020, affords citizens the right to see what information of theirs is being collected by businesses and to request that data be deleted. They will also be able to find out whether their information is being sold to third parties, including advertisers, and to request they stop doing so. It is by some stretch the most comprehensive privacy law in the country, but it’s not without fault.
California is known across the world for Silicon Valley and the endless amounts of world-changing technology businesses it has given birth to. The irony is the businesses that call the state home are precisely those causing the need for such regulatory overhaul by pushing the boundaries on technology, and as a result, privacy.
California has a long history of taking privacy seriously and has led the United States in terms of the creation of privacy laws. In 1972, Golden State voters amended the California Constitution to include the right of privacy among the “inalienable” rights of all people, and in doing so gave every Californian a legal and enforceable right of privacy. Since then, more laws have been passed to safeguard state citizens, including the Online Privacy Protection Act, the Privacy Rights for California Minors in the Digital World Act, and Shine the Light.
While GDPR was accused of being ambiguous for its lack of specificity, it looks comprehensive in comparison to the California Consumer Privacy Act. Its very creation was to curb the abusive practices of online businesses trading consumer data for financial income. Unfortunately, through some loose categorization of businesses, the Act has the potential to include websites that collect IP addresses of sites with over 137 unique visitors per day. That is just one example, but there are plenty more. And it matters.
In 2017, over 1.7 billion files were through breaches. After the California Consumer Privacy Act comes into force, organizations mishandling data could be penalized up to $7,500 for each violation, which could add up significantly based on the 2017 data. If you look specifically at data breach penalties across the different states, they vary significantly; Texas imposes civil fines of up to $50,000 per violation while Georgia imposes no penalty at all. For me, this is where the problem lies.
If each state takes a local approach to data privacy, the United States will become a patchwork of regulation, and unless state laws can come to a common agreement, it might soon become a challenging and less friendly place to do business. That’s not a good thing for anyone.
A discussion of a new proposed federal law, “Data Acquisition and Technology Accountability and Security Act,” would pre-empt state breach notification laws, but has received widespread criticism. It isn’t perfect. It’s too focused on notification itself rather than providing consumers with the rights needed for modern, everyday lives. But if it could be adjusted and expanded, it would be a better way of handling state-wide data privacy concerns and data management practices.
What would be preferable is if the law could mirror the GDPR, a very thorough and active piece of regulation. The hard work for legislators is largely done, and it would reduce the compliance costs for American businesses and encourage a fast start. Given we’re now on the backfoot and in desperate need of such a law, common sense says use something global businesses are already working with, rather than the laws 50 states independently create.
California has made the first move, but is it the right one? I’d be keen to hear your views on this.
