Imitation is the sincerest form of flattery, right? If so, some European regulators might like what’s going on with California in regards to digital privacy.
This fall, voters in California will vote on a ballot initiative called the California Consumer Privacy Act. According to supporters, they have enough signatures to put it up for statewide approval on Nov. 6.
According to the website in support of the act, it would establish “new, groundbreaking consumer rights” and enable people to “find out what information businesses are collecting about you and gives you the choice to tell businesses to stop selling your personal information.”
The act “brings GDPR [General Data Protection Regulation] to the U.S.,” said Gamelah Palagonia, senior vice president and cyber risk specialist with Willis Towers Watson in New York, according to an article in Business Insurance.
Granted, the site offers no evidence that the proposed act is directly influenced by the European Union’s (EU) recently enacted GDPR, which governs how every single business in the world interacts with consumers and uses their data, regardless of where those businesses are domiciled, so long as Europeans are interacting with them. However, observers anticipate that regulations similar to the GDPR would gain interest in other parts of the world as consumers become more concerned about the privacy and security of the data they share online.
If passed, the California Consumer Privacy Act would apply to “businesses that earn $50,000,000 a year in revenue, sell 100,000 consumer records each year or derive 50 percent of their annual revenue by selling your personal information must comply,” according to the website. “All businesses must comply if they collect or sell Californian’s personal information, whether they are located in California, a different state or even a different country.”
Fines could cost $7,500 per violation. By comparison, the fines for violations of the GDPR range from $12 million or 2 percent of annual gross revenue, whichever is greater for lower-level infractions, to about $24 million or 4 percent of annual gross revenue, whichever is greater for higher-level transgressions.
According to an analysis from W. Reece Hirsch and Ellie F. Chapman, attorneys with Morgan Lewis & Bockius, the California law “would give consumers the right to be notified, upon request, of categories of information that a covered business collects, sells or discloses about them, and to whom information was sold or disclosed, as well as the right to prevent the business from selling or disclosing their personal information. The Act would also prevent businesses from discriminating against consumers who exercise those rights.”
If approved by voters, the act would take effect on November 7, according to those lawyers, though it offers a nine-month grace period and “would apply only to personal information collected on or after August 7, 2019.”
Businesses would have to undertake significant work if the act passes. The analysis said, “Given the broad scope of information covered by the Act, it is unlikely that businesses are currently tracking the collection, sale and disclosure of personal information in the comprehensive manner that would be required, which will necessitate collaboration across departments and divisions.”
A rough idea of the work that the California Act would require comes from Lawrence Coburn, the CEO of DoubleDutch, which makes mobile apps for conferences. In an interview with Marketplace, he estimated that his employees have spent “thousands of hours” so far in GDPR compliance efforts, and that the costs of doing so have been “substantial.”
“You have to make sure that you’re set up as a software company for if one of your end users of your software decides that they want to be forgotten, that they want all of their records to be deleted, you have to be set up to do that,” he said. “Any time you start taking 20 Silicon Valley engineers and putting them on something that is not related necessarily to your core business, the costs get very high.”