How the California data privacy law could cause shockwaves in the US

17 Jul 2018

Image: jeffeast401/Shutterstock

The passage of the strict data privacy bill in California shows that a change in how the US deals with data could be on the way.

The Golden State’s sweeping new privacy bill that passed at the end of June came as a surprise to many.

The California Consumer Privacy Act (AB 375) was introduced by state assembly member Ed Chau and California state senator Robert Hertzberg to defeat an even stricter ballot that had gained traction. Hundreds of thousands of citizens signed a petition supporting it, spearheaded by Alastair Mactaggart, a real-estate mogul and privacy campaigner.

California now faces the unusual position of eventually having the strictest data privacy laws in the entire US, but there is still quite a way to go before the fully formed act is made permanent. What we do know is, US citizens are mobilising when it comes to their digital privacy rights.

Dana Simberkoff, chief risk, privacy and information security officer at AvePoint, spoke to Siliconrepublic.com about the changing sentiment among citizens, the problems with the law and the future of data privacy in the US.

How will this act change law in the rest of the US?

The law is now open to amendment, something Simberkoff and other privacy professionals deem to be highly necessary. “The law itself is a little bit vague so, to a certain extent, it does need to be modified, to be a little bit clearer if nothing else.”

In terms of how such a drastic piece of legislation became a high priority for many Californian citizens, Simberkoff described the lead-up to the bill’s passage as “a perfect storm” consisting of Facebook’s Cambridge Analytica scandal, the May enforcement of GDPR and an ever-growing list of massive data breaches across the US and around the world.

She also noted that although many are calling the law ‘GPDR 2.0’, there are some major differences between the two. “The definition of personal information is extremely broad under the law right now. It goes well beyond even what the GDPR calls personal information – browsing history, basically any electronic record of what you are doing under this law.”

Another key difference is that the California rules as they stand maintain the ‘opt-out’ model of consent, directly contradicting GDPR.

Although the law will technically only come into effect at the start of 2020 and will ostensibly only apply to California residents, the impact is set to be much more wide-ranging. Global tech firms have made California their home – and lobbied against this law – after their GDPR headaches. Most major firms in the US have Californian customers, so does this mean non-Californians will be disgruntled at their comparative lack of options?

Looking ahead

So, what does Simberkoff think is next for the bill, its proponents and its opponents? “I think they [opponents] will lobby for it to be clarified a minimum.”

It is far from a doomsday situation, though, particularly for firms who have put in the spadework to comply with EU rules. “If you’re already doing the work for GDPR, then you would have a programme in place to comply with this law if you can even define compliance at this point.”

Simberkoff believes an appetite for a national law will only grow, regardless of the inevitable modifications and clarifications on the way down the line.

The power of individuals to change a landscape was also touched on, as Simberkoff referenced EU privacy campaigner Max Schrems, as well as the mobilisation of Californians by Mactaggart’s campaign. “It shows that individuals can have an impact on data.”

As far as what modifications she expects, she simply hopes that the final version of the law is “thoughtful, possible and practical”.

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects

editorial@siliconrepublic.com