In the wake of the Cambridge Analytica scandal, restrictions on monetization of personal information (aka PI or PII) are coming to California in 2020. The California legislature unanimously passed a historic bill to adopt many of the core privacy principles of the EU General Data Protection Initiative (GDPR) for California consumers. The bill was fast-tracked into law in order to avoid the likely passage of a more rigorous ballot initiative in the November election.
The key difference between the ballot initiative and the adopted law is that the legislative version can be more easily amended to avoid unintended consequences. Indeed, the industry lobbying has already begun. A statement by the Internet Association immediately criticized the legislation:
It is critical going forward that policymakers work to correct the inevitable, negative policy and compliance ramifications this last-minute deal will create for California’s consumers and businesses alike.
The significance of this new law on U.S. businesses will be far reaching. The state of California is now recognized as the world’s 5th largest economy, surpassing the United Kingdom. California’s 40 million “consumers” have just gained privacy rights quite similar to those recently afforded to EU citizens by the General Data Protection Regulation (GDPR). Unlike the EU, which is “over there,” California is “over here” and is a market that cannot be ignored.
This new law will bring GDPR privacy principles, including the right to block monetization of personal information, to the doorstep of U.S. for-profit businesses in every state. While the California Consumer Privacy Act of 2018 will allow California-specific landing pages with opt-in and other privacy protections to be served only to CA consumers, in practical terms the IT privacy infrastructure will need to be built and employees trained for all users. From a best practices perspective, most organizations will need to follow the trend toward adopting GDPR principles.
The January 1, 2020 deadline for compliance should serve as a wake-up call to any business that wants to continue to operate in the California market.
Steps to Take Now:
According to the International Association of Privacy Professionals, which provides global certification standards for privacy professionals (IAPP), the first steps businesses must take to prepare for privacy regulation compliance include:
- Prepare data maps, inventories and other recordsof all personal information pertaining to California residents, households and devices, as well as information sources, storage locations, usage and recipients; and
- Add newly required disclosures to privacy policies, to prepare for data access, deletion, and portability requests, to secure prior consent for data sharing from parents and minors and to comply with opt-out requests to data sharing.
Keep Up With the Evolving Law:
- Additional legislation and regulations are anticipated. Regular review of the evolving law and compliance obligations will be necessary.