The California Consumer Privacy Act of 2018 is a ballot initiative that has gained more than enough signatures to appear on the November 6, 2018 general election ballot. If approved by the voters, the Act will greatly expand privacy rights in California. It will apply to larger companies that do business in California as well as entities that collect substantial amounts of Personal Information from California residents.
California has in the past led the US in various trends and regulations, good and bad. Freeways, Beach Boys, hippies, hipsters, car culture, bikers, early Burning Man, the music industry, and Hollywood helped define US culture. Well-known regulations and restrictions on air quality such as CARB (CA Air Resources Board), on "chemicals known to the state to cause cancer or reproductive toxicity" such as Proposition 65, and on offshore drilling have been very influential. Facebook, Google, Apple, AirBnB, Tesla, and yes, Theranos are all California companies.
Beauty is in the eye of the beholder
In 1976, a wealthy acquaintance in the Bel Air hills invited me for drinks to survey the skyline overlooking Los Angeles at dusk from his poolside perch. Like the successful Mr. McGuire in The Graduate urging Ben to steer his career towards the plastics industry,
There's a great future in plastics. Think about it. Will you think about it?
my acquaintance was enticing me with his decades-old vision of the beauty, hope, and opportunity of settling in LA. But in the darkening red sky, looking over downtown LA, I saw the thick carpet of that day's smog bearing down on the skyline, and in the foreground numerous police helicopters were beginning spotlight patrols over poorer LA neighborhoods.
Whatever your position on the merits of privacy regulation, one thing is clear, California is a historical leader. My recent visits to LA have shown that thick smog was not a feature but a bug. By virtue of its population (39.54 million) and its GDP standing as equivalent to the 7th or 8th largest economy in the world, California is perhaps the only single state that can lead the US toward a GDPR or opt-in consent type of privacy regulation on its own. From an information governance perspective, it is sound legal advice to urge organizations covered by multiple jurisdictions' law to comply with the most restrictive, which incorporates the requirements of all lesser obligations. This was true for non-resident organizations dealing with Massachusetts' privacy and data security law (201 CMR 17.00), and it is likely to be the case with The California Consumer Privacy Act of 2018 if it becomes law.
Organizations may currently think they can get by without the EU market to save on GDPR-type compliance. The entry of California into the "Privacy by Default" realm will be a very big deal.
For a legal primer of how GDPR impacts US-based organizations, download our new White Paper: The Top 10 Things to Know About GDPR from a member of our GDPR compliance team.