‘GDPR-California’ is a victory, but not the endgame of ‘GDPR-US’ - the fight goes on

In a long career full of memorable declarations, Oracle founder Larry Ellison once announced:

Privacy is dead!

At the time, he was making the point that traditional ideas of what constitutes privacy were changed by the rise of the internet and social media.

But in recent times, privacy as a concept has come back from the dead and is alive and kicking following the Facebook scandal, on the back of which there have been growing calls for tougher regulations and greater transparency around the collection and management of personal data.

In Europe, the recent introduction of the General Data Protection Regulation (GDPR) has done much to tackle issues around B2C data exploitation and has led to calls by some tech leaders for a similar legislative approach in the U.S. at Federal Government level.

That’s a battle that’s yet to be fought and won, but advocates of a new data regime got a boost late last week with the signing of the California Consumer Privacy Act.

While this doesn’t go as far as GDPR, it will afford California’s 40 million citizens the right to see what information is being collected about them and to request that data be deleted. They will also be able to find out whether their information is being sold to third parties including advertisers and to request that they stop doing so.

The Act is slated to come into effect on 1 January 2020 after which companies could be penalised up to $7,500 for each violation. The rules will be enforced by California’s attorney general.

Governor Jerry Brown signed the new Act just hours after its unanimous approval by the State Assembly and Senate. The primary reason for such haste was to fend off a ballot initiative to coincide with the November mid-term elections that would have pushed for more stringent rules.

That ballot initiative had attracted more than 600,000 signatures to date. The group behind it, Californians for Consumer Privacy, agreed to withdraw the ballot if the bill was passed this week.

Victory?

So score one for data privacy? Well, yes, up to a point. Privacy advocacy group Common Sense Media’s CEO James Sheyer said:

The state that pioneered the tech revolution is now, rightly, a pioneer in consumer privacy safeguards, and we expect many additional states to follow suit. Today was a huge win and gives consumer privacy advocates a blueprint for success. We look forward to working together with lawmakers across the nation to ensure robust data privacy protections for all Americans.

But with Facebook Google, AT&T, Comcast and Verizon having all chucked $200,000 into the pot to create a fighting fund to oppose the new Act, it’s unlikely that they - and others who have yet to put their money where their mouths are - will be giving up just yet.

Will Castleberry, Facebook's Vice-President of State and Local Public Policy, issued a rather grudging ‘could be worse’ comment:

While not perfect, we support (the Act) and look forward to working with policymakers on an approach that protects consumers and promotes responsible innovation.

Some tech trade associations also expressed their concerns. Robert Callahan, Vice-Rresident of State Government Affairs at the The Internet Association, whose members include Amazon, Facebook, Google and Microsoft, expressed disquiet at the speed with which the Act was signed:

Data regulation policy is complex and impacts every sector of the economy, including the internet industry. That makes the lack of public discussion and process surrounding this far-reaching bill even more concerning.

It is critical going forward that policymakers work to correct the inevitable, negative policy and compliance ramifications this last-minute deal will create for California’s consumers and businesses alike.

Meanwhile Linda Moore, CEO of the lobby group TechNet, took a ‘work in progress’ angle:

While this law adds a significant new layer of privacy protections for California consumers, even its authors have acknowledged it is far from perfect and will need revisions in the months ahead as its consequences and workability are better understood.

The most publicly-outspoken backer for tougher regulations of late has been Salesforce CEO Marc Benioff, who has repeatedly called for a GDPR-style regime to be introduced at federal level in the U.S.

Salesforce had been looking to the November ballot initiative as a leverage point in a wider campaign. The firm’s Data Protection Officer Lindsey Finch told diginomica earlier this year that the ballot and the arrival of GDPR meant that the right conditions were being created for change:

With GDPR imminent and the California Privacy Ballot coming up we really do think it is time to have a Federal Privacy Law, that is the Salesforce corporate position. We see it as key to rebuilding trust with technology companies overall. This won’t just be a copy and paste, we will have to go through our own processes, but the principles of people having control over their own data and big companies being accountable for their privacy practices are elements that we would like to see translated into US law.

Following the vote last week, the company said in a statement:

Salesforce commends our state legislators for advancing privacy legislation meant to protect consumers. However, the law contains some shortcomings. We hope to work with the legislature to address them before the law is implemented. At Salesforce, we believe that the U.S. needs a federal privacy law in order to provide consistent privacy protections for all Americans, no matter their zip code.

In other words, the fight goes on.

My take

This is a significant development, but it’s far from the endgame. While providing encouragement to those pushing for stronger data privacy laws, this victory in California will also act as a rallying cry to opponents of such change. Expect both sides to step up on the lobbying front. What will be particularly interesting is to see who on the naysayer side is prepared to go public with their opposition...