Does California’s own GDPR create more problems than it answers?

Danny Allan,
VP of Product Strategy

@dannyallan5

Published date: September 18, 2018

The recent introduction of the General Data Protection Regulation (GDPR) has done a lot to tackle issues surrounding business’ exploitation of personal data and has led to calls by some tech leaders for a similar legislative approach in the U.S. at a Federal Government level. Just last month, “The California Consumer Privacy Act of 2018” was created, promising similar rights for the State’s 40 million citizens as Europeans received with GDPR.

The hastily approved Act, which is due to come into effect on Jan. 1, 2020, affords citizens the right to see what information of theirs is being collected by businesses and to request that data be deleted. They will also be able to find out whether their information is being sold to third parties, including advertisers, and to request they stop doing so. It is by some stretch the most comprehensive privacy law in the country, but it’s not without fault.

California is known across the world for Silicon Valley and the endless amounts of world-changing technology businesses it has given birth to. The irony is the businesses that call the state home are precisely those causing the need for such regulatory overhaul by pushing the boundaries on technology, and as a result, privacy.

California has a long history of taking privacy seriously and has led the United States in terms of the creation of privacy laws. In 1972, Golden State voters amended the California Constitution to include the right of privacy among the “inalienable” rights of all people, and in doing so gave every Californian a legal and enforceable right of privacy. Since then, more laws have been passed to safeguard state citizens, including the Online Privacy Protection Act, the Privacy Rights for California Minors in the Digital World Act, and Shine the Light.

While GDPR was accused of being ambiguous for its lack of specificity, it looks comprehensive in comparison to the California Consumer Privacy Act. Its very creation was to curb the abusive practices of online businesses trading consumer data for financial income. Unfortunately, through some loose categorization of businesses, the Act has the potential to include websites that collect IP addresses of sites with over 137 unique visitors per day. That is just one example, but there are plenty more. And it matters.

In 2017, over 1.7 billion files were leaked through breaches. After the California Consumer Privacy Act comes into force, organizations mishandling data could be penalized up to $7,500 for each violation, which could add up significantly based on the 2017 data. If you look specifically at data breach penalties across the different states, they vary significantly; Texas imposes civil fines of up to $50,000 per violation while Georgia imposes no penalty at all. For me, this is where the problem lies.

If each state takes a local approach to data privacy, the United States will become a patchwork of regulation, and unless state laws can come to a common agreement, it might soon become a challenging and less friendly place to do business. That’s not a good thing for anyone.

A discussion draft of a new proposed federal law, “Data Acquisition and Technology Accountability and Security Act,” would pre-empt state breach notification laws, but has received widespread criticism. It isn’t perfect. It’s too focused on notification itself rather than providing consumers with the rights needed for modern, everyday lives. But if it could be adjusted and expanded, it would be a better way of handling state-wide data privacy concerns and data management practices.

What would be preferable is if the law could mirror the GDPR, a very thorough and active piece of regulation. The hard work for legislators is largely done, and it would reduce the compliance costs for American businesses and encourage a fast start. Given we’re now on the backfoot and in desperate need of such a law, common sense says use something global businesses are already working with, rather than the laws 50 states independently create.

California has made the first move, but is it the right one? I’d be keen to hear your views on this.

Show more articles from this author

Makes disaster recovery, compliance, and continuity automatic

NEW Veeam Availability Orchestrator helps you reduce the time, cost and effort of planning for and recovering from a disaster by automatically creating plans that meet compliance.

DOWNLOAD NOW

New
Veeam Availability Orchestrator

Going Beyond Availability: The 5 stages of Intelligent Data Management

Read More

GDPR: Lessons 4 & 5, Document-Comply-Improve

Read More

GDPR: Lesson 3, PROTECT Your Data

Read More