California’s New Data Privacy Law Brings Big Changes

October 16, 2019 Updated: October 16, 2019

A new California privacy law set to take effect in January is expected to radically change how companies manage consumer data.

The California Consumer Privacy Act, or CCPA, seeks to limit the third-party acquisition of user data, which is a major source of profit for certain brands. It would grant state consumers a right to know what type of information companies have collected, a right to have that information deleted, and a right to opt out of the sale of that information.

“A business shall not use a consumer’s personal information for any purpose other than those disclosed in the notice at collection,” reads a portion of the state’s proposed new regulations (pdf), released on Oct. 10.

“If the business intends to use a consumer’s personal information for a purpose that was not previously disclosed to the consumer in the notice at collection, the business shall directly notify the consumer of this new use and obtain explicit consent from the consumer to use it for this new purpose.”

Last week, Gov. Gavin Newsom signed seven CCPA-related bills into law, including legislation that gives exceptions for certain personal information. One of the bills, AB-25 provides a yearlong exemption for data from employees, contractors, and job applicants.

Several public hearings have been scheduled in early December for anyone seeking to present comments either orally or in writing about the CCPA regulations in Sacramento, Los Angeles, San Francisco, and Fresno. The public comment period ends on Dec. 6.

Big tech companies in the Silicon Valley lobbied for months to try to weaken certain provisions of the CCPA. The Internet Association, a trade group for big tech companies such as Google, Facebook and Amazon, spent almost $176,000 last quarter to contest the law, according to the Washington Post.

Leading up to the end of the legislative session, the Internet Association placed ads across Facebook and Twitter warning users that the law could harm internet freedom.

“The FREE websites and apps you use every day could start costing you,” read one ad.

“Using the internet shouldn’t hurt your wallet,” read another, leading users to believe that such legislation would require users to pay to use social media sites.

These ads reportedly targeted people mostly in the Sacramento area. However, despite lobbying efforts to weaken the law, no major changes were made.

The new law is similar to the European Union’s General Data Protection Regulation, or GDPR, but is far less reaching in scope.

Zach Edwards, Chief Data Architect of Meta X, a global data supply flow monitor, said that the CCPA, which was written and passed in a one year period, lacks the enforcement mechanisms that GDPR has.

“[The EU] took the more classical constitutional amendment approach, and this was first proposed in the 90s. It went through a massive process to get through all the EU states,” Edwards told The Epoch Times. “In California, it was approached differently because an individual was trying to get people to stop sitting on their hands.”

That individual, Allister McTaggart, a wealthy real estate mogul, leveraged the state’s ballot initiative process to contest the power of the tech industry after a conversation he had with a Google engineer made him worry about data privacy. His ballot measures reportedly had a number of loopholes, and the legislature decided to take matters in to their own hands by passing the CCPA.

Edwards said that the conflict over McTaggart’s ballot measure and the legislature’s bill led to a rushed piece of legislation in comparison to its EU counterpart.

“Where GDPR took over a decade and thousands of conversations, this was literally one person going, ‘We’re in America, we don’t have to do it the slow European way. I’m going to drop a little money, put it on the ballot, force all of you goofballs to accept the much worse ballot initiative or write your own law and get it passed,’ and he was successful.”

If the CCPA had been a bill that had granted Americans new rights, like the GDPR the process would have been much longer, said Edwards. The CCPA instead simply placed restrictions on companies, speeding up the process.

One major flaw of the CCPA, Edwards said, is that the penalties for violations are very unclear, while with the GDPR the penalties are very specific.

“GDPR has a huge amount of nuance where the regulators in each country get to decide how malicious or purposeful the violation was. That’s how we need to do it in the United States, with nuance and with the eye to not imploding the marketplace on the internet,” Edwards argued.

Edwards says that while the CCPA is a step in the right direction, the United States at the federal level needs to make its own version of the GDPR to protect user data.

“It’s a testament to the importance of the internet and data privacy that GDPR actually got implemented and passed in Europe. In the United States, we just need to have a multi-month debate around data privacy.”

All 50 states have already passed breach notification laws designed to protect user data. As of March 2018, the U.S. Virgin Islands, Puerto Rico and Guam have also passed such legislation.