California Data Privacy Law to Take Direct Aim at China

California Data Privacy Law to Take Direct Aim at China
Director of security policy and global privacy officer for Intel David Hoffman (3rd L) testifies during a hearing before the Senate Judiciary Committee on Capitol Hill in Washington, D.C. on March 12, 2019. The committee held a hearing on "GDPR (EU General Data Protection Regulation) & CCPA (California Consumer Privacy Act): Opt-ins, Consumer Control, and the Impact on Competition and Innovation." (Alex Wong/Getty Images)
Chriss Street
11/25/2019
Updated:
11/25/2019
News Analysis
The California Consumer Privacy Act will require Chinese companies that collect privacy data on at least 137 residents per day to allow consumers to “opt-out” of being surveilled.

The CCPA, which will take effect on Jan. 1, requires all for-profit companies anywhere in the world that do business in the state directly or indirectly through any third-party on “connected devices” to use “reasonable” security measures to inform consumers of any type of information collected and give consumers the “right” to opt-out of data collection.

Some analysts suggest California’s massive new privacy law, officially titled SB-327, is similar to the European Union’s General Data Protection Regulation (GDPR). But the Golden State’s law also includes “Internet of Things” (IoT) devices that can wirelessly transmit data to a network. Current examples of IoT devices subject to the law would include “smart” home assistants, universal remotes, thermostats, doorbell cams, smoke alarms, door locks, light bulbs, electrical outlets and many toys.
There are approximately 7.62 billion humans currently on Earth. In addition to about 5 billion computers and smartphones, there are another 26.66 billion IoT devices. It is estimated by Statista that the globally connected number of IoT devices will triple by 2025 to 75.44 billion and generate about 45 percent of the world’s mobile data traffic.

Key to the expansion of IoT devices is the roll out of Fifth Generation (5G) mobile networks that are expected to grow from just 13 million users today to about “two thirds of the global population” by 2025.

The CCPA defines qualifying businesses under the law as any “(a) for-profit business; (b) doing business in California and (c) collects consumers’ personal information themselves or through others or determine the purposes and means of processing consumers’ personal information.”
The law states that coverage is limited to large commercial entities with annual gross revenues over $25 million that “collect personal information of 50,000 or more consumers, households, or devices.” But the California Attorney General recently issued proposed regulations that under the CCPA clause “alone or in combination,” the qualifying businesses threshold expands to include any third-party customer, supplier consultant or user that buys, receives, sells, or shares personal data around the globe.

CCPA rights for consumers include “finding out what information about the consumer a business possesses, the right to deletion of certain information, the right to opt out of the sale of information, and so on.”

China is specifically targeted according to the China Law Blog because “doing business” under the California Attorney General regulatory guidance is construed broadly to include “seemingly minor relations to the state of California” and that “any firm that collects personal information from more than 137 consumers or devices a day will meet the 50,000 threshold.”

China’s top manufacturers have dominated the consumer electronics markets for decades and through state-championed 5G leadership expected to dominate IoT “smart” networks. But huge Chinese entities will soon have an incredibly complicated compliance task for identifying how “alone and in combination” they collect or obtain information from any source and what they do with it.

It will also be each business’ responsibility under CCPA, no matter where they are located, to communicate their privacy policies to California consumers with disabilities. That means the current privacy policy followed by most companies that amounts to posting a disclosure in small-print legalese on an obscure company website in one language will not be legally compliant under CCPA.

CCPA creates a private right of redress for consumers to seek statutory or actual damages in the event of certain privacy breaches where a company failed in hindsight to adopt “reasonable security measures.”

The China Law Blog comments that the CCPA language almost guarantees there will be a boom in class-action lawsuits against companies, especially in China, that fail to have “reasonable security measures” in place.
Chriss Street is an expert in macroeconomics, technology, and national security. He has served as CEO of several companies and is an active writer with more than 1,500 publications. He also regularly provides strategy lectures to graduate students at top Southern California universities.