Digital Journal: Why California’s Data Privacy Law Is Set For U.S. Roll Out: Q&A
The U.S. state of California has agreed to implement a new data privacy law, along the lines of a new regulation recently enacted in Europe. Could this be the trigger for a U.S.-wide roll-out? We talk with data privacy expert John Tsopanis, of 1touch.io.
On Jan. 1, 2020, a California resident will have legal right to ask any big company in the U.S. what they are doing with their data, and each company will have to respond within 45-days. There are parallels here with The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which applies to the European Union. Such regulations put significant financial and organizational pressure on companies. They also impose restrictions on companies that do business in their geographic zone, regardless of where the company is located. What are the implications for the new California regulation for the rest of the U.S.? To understand more, Digital Journal spoke with with privacy data expert John Tsopanis of 1touch.io.
Digital Journal: How secure is data in California currently?John Tsopanis: California is a $2.7 trillion economy, the 5th largest in the world, and is built on big data — specifically the buying and selling of big data. In order to secure data, you have to first understand where it is, and America’s culture of almost unlimited proliferation of personal data to third parties with very few conditions attached means the American security landscape in regards to personal information is in a dire condition.
DJ: What’s changing in terms of data legislation?Tsopanis: Over the next 18 months, the California Consumer Privacy Act will obligate American companies to identify all of the categories of personal information they process relating to California residents and disclose who they sell it to or share it with, upon request. This data identification exercise is the first building block to securing personal data in the US, but there is a long way to go. The state of play in 2018 for data privacy practices in America is an almost standing start.
DJ: How about businesses outside of California? Will they be affected?Tsopanis: The law protects the privacy rights of California residents across the United States. As such, the number of American companies who must comply with this law is significantly higher than those who currently have to comply with the GDPR. It will affect multiple businesses in every U.S. state.The law applies to any business with over $25m revenue that processes the personal information of a California resident and ‘does business’ with the state of California. The definition of ‘does business’ is incredibly broad and does not necessarily require a physical presence in California. Having a commercial presence such as ecommerce could qualify.To understand the scale of how many companies will have to comply, consider the company Wendy’s. It is is 999th out of 1000th on the Fortune 1000 with an annual revenue of $1.2 billion, 48 times higher than the threshold for applicability under this law (and of course Wendy’s has stores in California). Almost every US company of that size is going to qualify under similar conditions, so that’s 1,000 billion dollar companies in America who need to comply with this law,, and significant orders of magnitude greater than that in the $25 million-$1 billion revenue category.
DJ: How likely are other states to adopt similar laws?Tsopanis: Almost certainly. The rights afforded to California consumers in privacy notices, in the rights to opt out of data usage, and in the class action lawsuits that Californian citizens will bring against organizations who breach their personal information will lead to a rapid uptake of similar privacy laws across states upon implementation, most likely resulting in the creation of privacy law at federal level within 18 months of implementation. It doesn’t make sense to fragment the data privacy landscape in the US, and California is the capital of data.It’s almost impossible to do business in the U.S. without sharing data with California, and the political consequences from data misuse will be much clearer to American citizens by 2020. I am optimistic that this law will be rolled out at a federal level.
DJ: What are the parallels between the Consumer Privacy Act and European GDPR?Tsopanis: Both give citizens the power to request full reports on what personal information an organization has on them, why they have it, and who they share it with. Both also allow consumers to opt out of the processing and selling of their information. These are the foundations of an individual’s ability to exercise the right to privacy, and the cornerstones of a free and functioning digital democracy, and thus the core of both legislations.The California Consumer Privacy Act goes further than the GDPR with a broader definition of personal information, which includes tracking technologies and unique identifiers such as IP addresses and device identifiers. This places a greater obligation on American companies to fully identify their personal information estate, especially if they’re collecting information on citizens as they move through their websites and the wider Internet.
DJ: What’s the overall impact of such privacy laws?Tsopanis: The California Consumer Privacy Act also requires organizations to disclose accurate names and contact addresses for the third parties that they have sold personal information to in the past 12 months, an obligation not included in the GDPR. This is going to give the American people (and Californian journalists) the ability to start mapping out the networks of data buyers and sellers who were previously operating in secrecy.I think the most powerful impact of this, going back to the context in relation to Cambridge Analytica and the dangerous network of proliferated third party data sharing, is allowing the people to shine a light, scrutinize and investigate the data practices of the organizations that profit from buying and selling our personal information and psychological profiles, and who use that information to decide whether or not they want to buy access to our screens.In a companion article, John Tsopanis looks at the impact of the California legislation upon businesses and consumers located or interacting with the state. See: “What the California Consumer Privacy Act means for business: Q&A.”
