The California Consumer Privacy Act (“Act”) has been hailed as a ground breaking privacy law in the United States, adding to the United States’ patchwork of various state and sector specific privacy laws. The Act will be effective January 1, 2020 but the recordkeeping requirements require companies to have proper records with respect to personal data dating back to January 1, 2019. The Act was hastily drafted within a week to avoid a more severe ballot measure as opposed to the four years of drafting the European Union’s General Data Protection Regulation (“GDPR”) that became enforceable on May 25, 2018. Thus, there are various ambiguities and inconsistencies in the Act that we expect to be amended and clarified by the State’s Attorney General’s implementing regulations.
Under the Act, the broadly defined “consumer” has various rights, including the right to opt-out of sales of their personal data. While companies are prohibited under the Act from charging different prices or providing differing service levels to consumers that exercise their opt-out rights, the Act permits businesses to offer certain financial incentives for the rights to collect and sell a consumer’s information. The Act has been compared to the GDPR and while the Act and the GDPR are similar in some ways, there are many differences which will make compliance more of a challenge for international companies.
California typically leads the way in implementing new privacy laws (such as the security breach notification laws) and we expect that other states will follow with similar “GDPR-like” laws. Indeed, just last week a new privacy bill was proposed in the Washington State legislature that would give individuals rights to access, update, correct and object to certain processing. Companies have touted the need for a comprehensive United States privacy law as complying with various sectoral specific state laws can be burdensome. Now, Senator Rubio is introducing a Federal bill, the American Data Dissemination Act, that is largely based on the Privacy Act of 1974. The American Data Dissemination Act would preempt many state privacy laws. While it is debatable if a bill based on a law from 1974 is appropriate to data and technology today, a comprehensive Federal privacy law would streamline and simplify compliance. With the potential large fines for violation of privacy laws both abroad and in the United States, many would welcome a comprehensive approach.
Historically FTC fines in the United States for privacy violations have been significantly higher than fines in the European Union but the potential fines under the GDPR are much higher. Last week Google was the first United States technology company to be hit with a fine under the GDPR of $57 million. The French data protection authority alleged that Google violated two key aspects of the GDPR- violation of transparency and violation of the legal basis for processing with respect to ad personalization. The lack of transparency was because users must wade through Google’s numerous linked and embedded terms to determine how their data is used. The issue with ad personalization was due, in part, because user consent was not specific and the choices for ad personalization were automatically ticked. Google is appealing the fine.
With the various laws that may be applicable to a company, companies must proceed with caution and be diligent about their privacy and data collection practices.
Below is a chart that sets forth the major differences between the GDPR and the Act.