California’s New Data Privacy Law Could Make State Companies More Competitive for Overseas Deals
Nov 05 2020
- The passage of California's Prop 24 will hit the data-broker industry hard and create a new state regulatory agency.
- The new law adds stringent legal requirements to how businesses collect and share consumer data.
- The new law is similar to Europe's GDPR law, which could give California businesses a leg up in dealing with European citizen's data.
The implications of California's new consumer data privacy law will ripple through the Golden State and potentially the nation, striking a large blow to the estimated $200-billion data broker industry and heralding a new industry that tracks down shared data and enforces its deletion, experts say.
<p>
<a href="https://dot.la/california-proposition-24-2648623072.html" target="_self">Proposition 24 was overwhelmingly approved by voters</a> Tuesday, just four months after state businesses were legally required to follow new consumer data privacy standards passed by the Legislature in 2018. The new California law, now the nation's strictest consumer data privacy law, adds <a href="https://dot.la/california-proposition-24-2648623072.html" target="_self">even more stringent legal requirements</a> to how businesses collect and share consumer data, ups penalties and potential liability, and sets up a new $10-million-per-year state agency to implement and enforce it.
</p><h2>More Compliance, and a New Industry to Track Down Data
</h2><p>
"The companies are fatigued," said Jim Koenig, partner and co-chair for Fenwick & West LLP's privacy and cybersecurity practice. "Now there's another ballot initiative they have to prepare for as well [and] it's costing more money, more time and more staff focus."
</p><p>
Koenig said the new changes, especially in the nation's largest economy, create a "de facto baseline" on privacy for businesses nationwide because they "can't easily segregate out California customers from the rest of the customers in your program."
</p><p>
That means some companies may have to pick and choose what to comply with, depending on how much risk they are willing to take on, Koenig said.
</p><p>
In an interview with dot.LA Wednesday, San Francisco real-estate developer Alastair Mactaggart, who sponsored the new law, said he felt compelled because the Legislature could always be swayed by businesses that had already tried to gut massive portions of the 2018 law.
</p><p>
"Had this not passed, CCPA [the 2018 law] would have been unrecognizable in five years, for the worse," Mactaggart said. "Your and my expectations of what privacy [is] will change, the Legislature is in the right place for that. But there should also be something to counteract the trillions of dollars on the other side."
</p><p>
With that in mind, the new law includes a type of one-way ratchet that lets it be amended by a simple majority of the Legislature like any other law, as long as the amendments don't harm consumer privacy. Mactaggart's approach diverged from that of the sponsors of the newly passed gig worker measure Prop. 22. Part of that law requires a 7/8th majority in order to change its provisions.
</p><p>
"With all due respect, that's sort of saying I'm going to take my toys, go home, and my vision of the world is perfect," Mactaggart said. "We need something that moves with the times, and goes with the times."
</p><p>
Mactaggart said the new privacy agency's annual budget of $10 million should enable it to hire roughly 50 people, which is double the size of the state Attorney General's privacy enforcement staff and 25% more staff than what the Federal Trade Commission has for the entire country. The new law also removes a provision granting exclusive enforcement of the consumer privacy law to the state AG's office, enabling not just the new agency but also all 58 county district attorneys and major city attorneys to prosecute businesses in violation, Mactaggart said.
</p><p>
Because the law now holds companies responsible for ensuring that data it has shared with third parties or vendors is properly deleted upon request, experts say a new industry of companies will likely sprout up to help track down where data has gone. That's especially crucial with an
<a href="https://www.gartner.com/smarterwithgartner/how-to-choose-a-data-broker/" rel="noopener noreferrer" target="_blank">estimated 5,000 data brokers worldwide</a>, which can make tracking data down especially difficult.
</p><p>
These data-brokers are largely unregulated and sell people's personal information for billions of dollars a year. They include large companies like the credit bureaus — Experian, Equifax and TransUnion — and other smaller firms that aggregate personal information from both public and private sources to sell to other companies for advertising, employment, financial and research purposes.
</p><p>
"A dedicated privacy authority is a game changer," said Gabriela Zanfir-Fortuna, senior counsel for global privacy at The Future of Privacy Forum, a Washington, D.C.-based think tank. "This is something that exists in most of all of the other countries that have comprehensive privacy laws and this is something that currently doesn't exist in the U.S. [There's] the FTC but the FTC has a very broad mandate, in antitrust, consumer protection and then it's also privacy focused."
</p><p class="shortcode-media shortcode-media-rebelmouse-image">
<img type="lazy-image" data-runner-src="https://dot.la/media-library/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpbWFnZSI6Imh0dHBzOi8vYXNzZXRzLnJibC5tcy8yNDY4Njk0OS9vcmlnaW4uanBnIiwiZXhwaXJlc19hdCI6MTYxMzg1MTQ3NX0.MaZ2TxV76A3XDbHhkQ5VpGKFxpKw_DkoAQvU7mYm7nQ/image.jpg?width=980" id="6f725" class="rm-shortcode" data-rm-shortcode-id="b6d804ad363cf2e2f9c579aeda1b96f9" data-rm-shortcode-name="rebelmouse-image">
</p><h2>A Leg Up for California Businesses on International Data?
</h2><p>
Experts say the new law is very, very close to the European privacy standard known as GDPR, or the General Data Protection Regulation touted by privacy experts as a gold standard. And that matters because it gives California a potential leg up in being deemed as adequate under EU law to deal with European citizen data flows.
</p><p>
"California businesses are going to enjoy a tremendous advantage over businesses in other states, because the European regulators are going to be more permissive to businesses in a state with a rights-based framework and an agency to enforce it," said Chris Hoofnagle, faculty director of the Berkeley Center for Law & Technology.
</p><p>
Mactaggart believes that this advantage will lead businesses to want to locate servers in California and, ultimately, spur other U.S. states to move toward their own privacy law adoptions. He said he's had initial conversations with European experts who told him California's new law should pass muster in allowing state companies to deal with European data.
</p><p>
Of course, the U.S. and European Union would first need to work out concerns over the U.S. national security apparatus that came to light after the Edward Snowden revelations. In July, the
<a href="https://www.jonesday.com/en/insights/2020/07/schrems-ii-confirms-validity" rel="noopener noreferrer" target="_blank">European Court of Justice invalidated a U.S.-EU agreement on trans-Altantic data flows</a> over concerns about how the U.S national security apparatus deals with European citizen data, and what independent oversight and recourse citizens have. That has left U.S. and E.U. businesses in a sort of legal limbo.
</p><h2>ACLU Opposition And American Appetite For Privacy
</h2><p>
Prop. 24 was notable in that many of the organizations that opposed it like the ACLU, did so because they wanted it to be even stronger.
</p><p>
Jacob Snow, a technology and civil liberties attorney for the ACLU of Northern California, said in a statement Wednesday the new law has "deep flaws" but "sends a clear message from California voters to the California legislature that they expect and demand action to protect their privacy and safeguard their fundamental privacy rights."
</p><p>
Snow said in a statement that it's time for the California Legislature to build on the new law to prohibit companies from charging more for privacy and impose substantial consequences on businesses that break its rules.
</p><p>
All the experts said it was likely that the new California law would put some fire under lawmakers in D.C. to take enacting a new privacy law more seriously.
</p><p>
On Tuesday, Michigan voters overwhelmingly approved — by nearly 89% — a state
<a href="https://ballotpedia.org/Michigan_Proposal_2,_Search_Warrant_for_Electronic_Data_Amendment_(2020)" rel="noopener noreferrer" target="_blank">constitutional amendment that requires a search warrant to access any electronic communications</a>, significantly upping the legal standard necessary to "probable cause." Meanwhile, Washington state lawmakers have again tabled discussion on a new Privacy Act for the third consecutive session, Zanfir-Fortuna said.
</p><p>
"There seems to be this appetite for more data privacy for Americans, especially when they are asked directly to vote on it," Zanfir-Fortuna said.
</p><p>
Many of the details of how California's Prop. 24 will work have yet to be determined. The new privacy agency will be stood up next year and the law won't go into effect until 2023. For many companies, the early rush to abide by the 2018 rule known as CCPA, was frustrated by continual changes as it was finalized.
</p><p>
"There will be a wait-and-see [period]. Companies are going to want to know where to land the plane before they take off on their compliance efforts," Koenig said.
</p><p>
Mactaggart had one message for weary businesses: "If you've taken steps to comply with CCPA it's not like you have to throw it all out, that work is all necessary to comply with CPRA. Now you just need to do more."
</p><p>
___
</p><p>
<em>How does Prop. 24 impact your business? Are you worried? Excited? Hit me up. My DMs are open on </em><a href="https://twitter.com/latams" rel="noopener noreferrer" target="_blank"><em>Twitter @latams</em></a><em>. You can also email me at tami(at)dot.la, or ask for my contact on Signal, for more secure and private communications.</em>
</p>
From Your Site Articles
- Two California Ballot Measures Could Have Outsized Impact On ... ›
- California Passes Nation's Most Stringent Consumer Data Privacy Law ›
Related Articles Around the Web
Read more
Show less
California voters overwhelmingly approved a ballot measure that expands consumer data privacy by limiting what businesses can do with their personal information. The new law puts a stringent baseline privacy standard in place for the nation's largest economy — creating a new enforcement agency and closing an earlier law's loopholes.
The ballot initiative, Proposition 24, won more than 56% of the vote as of Wednesday morning. The new law is the most robust consumer data privacy law in the U.S. Some privacy experts compare it to Europe's data protection rules, which have had a major impact on what U.S. companies can do with data on citizens across the Atlantic.
<p>Among its impacts, the new law —known as the California Privacy Rights and Enforcement Act (CPRA) — requires businesses to provide consumers with the ability to opt-out of having sensitive personal information — such as geolocation, race, ethnicity, religion, genetic data, private communications, specific health information and sexual orientation — collected and requires businesses to refrain from sharing users' personal information if they request it.</p><p>CPRA expands and amends an existing law passed just two years ago, known as the California Consumer Privacy Act (CCPA). That law only began to be enforced this July after a slew of amendments were passed by the Legislature.</p>
<p>
<span style="background-color: initial;">Proposition 24 was put forward by San Francisco real-estate developer Alastair Mactaggart, who had previously put forward a ballot initiative for consumer data privacy in 2018. He withdrew that measure to work with the state Legislature to create CCPA. Mactaggart said the new amendments weakened consumer data privacy rights, prompting him to put forward a new initiative that can't be amended without voter approval.</span></p><p><span style="background-color: initial;">Mactaggart called the new law historic and said it "will profoundly shape the fabric of our society by redefining who is in control of our most personal information and putting consumers back in charge of their own data."</span></p><p>
The ballot initiative was backed by former presidential candidate Andrew Yang, but was notably opposed by the American Civil Liberties Union, League of Women Voters of California and the Consumer Federation of California.
</p><p>
The ACLU of Southern California called the initiative "a fake privacy law" that requires people to "jump through more hoops" and includes carve outs that, for example, let law enforcement direct a business to retain consumer information for 90 days to pursue a court-issued subpoena, order or warrant.
</p><p>
Those in opposition to the new law say an "opt-in" button that makes data privacy a default option — and prevents companies from potentially penalizing consumers for opting-out — would be more effective.
</p><p>
The law establishes a new "California Privacy Protection Agency" to implement and enforce the law as well as impose fines.
</p><p>
Businesses will be required to get permission to collect data from consumers younger than 16, receive parent or guardian approval to collect data from consumers younger than 13 and correct inaccurate personal information, if asked. It requires notice to consumers whether information is shared or sold and details on how long that information is kept. It also allows people to request information be deleted.It is up to businesses to ensure the third parties they provide information to — such as a contractor, partner or vendor — do the same. Lastly, businesses are required to provide "reasonable security" for sensitive data and puts in place penalties for breaches including for emails and passwords.
</p><p>
The Electronic Frontier Foundation, a nonprofit digital rights advocacy group, did not take a position on the measure.</p><p><strong>READ MORE: <a href="https://dot.la/cpra-2648639901.html" target="_blank">On what this law means moving forward, and the winners and losers</a>.</strong></p><p>___</p><p><em>How does Prop. 24 impact your business? Are you worried? Excited? Hit me up. My DMs are open on <a href="https://twitter.com/latams" target="_blank">Twitter @latams</a>. You can also email me at tami(at)dot.la, or ask for my contact on Signal, for more secure and private communications.</em></p>From Your Site Articles
- Two California Ballot Measures Could Have Outsized Impact On ... ›
- What Prop 24 Will Mean For California Businesses - dot.LA ›
- What Prop 24 Will Mean For California Businesses - dot.LA ›
Related Articles Around the Web
Read more
Show less