California Attorney General Xavier Becerra has unveiled new privacy proposals which have the potential to rival the impact of Europe’s GDPR on the digital economy.
When Europe announced its General Data Protection Regulation the digital economy was thrown into chaos. Businesses around the world had to audit monstrous amounts of data, as well as reconfigure business models, data collection procedures and relationships to ensure compliance. The rules being proposed here are slightly different, but Becerra is enforcing a privacy first mentality which might not sit comfortably with some in the digital economy.
There are three components of this proposed legislation to keep an eye-on. Firstly, the consumer has the right to request details on the data being stored by companies. Secondly, they have the right to demand this information be deleted. And thirdly, companies will have to seek consent from the consumer to monetize the data.
“Knowledge is power, and in the internet age knowledge is derived from data,” said Becerra. “Our personal data is what powers today’s data-driven economy and the wealth it generates. It’s time we had control over the use of our personal data. That includes keeping it private.
“We take a historic step forward today to protect Californians’ inalienable right to privacy. Once again, California leads the way putting people first in the Age of the Internet.”
However, before the privacy enthusiasts get too excited, there are some hurdles to negotiate. The original California Consumer Privacy Act (CCPA) has been passed, and will come into effect on January 1, though there have been additional bills passed to water-down the strength of these rules.
Although this will hit some like a bad smell, this is the reality of politics. Lobbyists in the US are incredibly powerful, and they are being fuelled by a very profitable technology industry with a lot to lose. This is not to say the new rules will not make an impact, though they might not be as revolutionary as some would hope when they come into effect.
That said, this will create the strongest privacy legislative regime across the US, ironically, in the home of the company’s who play so carelessly with privacy rights.
Looking at the similarities with GDPR, it does seem there has been some inspiration drawn from the rules. The right to request more information, as well as the right to demand deletion, are two elements which seem to be taken from GDPR. The final element mentioned above is very interesting and we suspect will be the focal point of the lobby efforts as these rules gather momentum.
The inclusion of a ‘Do not sell my data’ link is an aspect no-one in the data-sharing economy will want to see. The industry has largely profited to date through inaction. No-one can do anything about the monetization of data short of refusing to download the app. Consumers are effectively being forced into participating in the digital economy as there are no rules to provide an alternative. This element of the legislation would certainly cause a stir.
Some people will not like the fact companies are making money off their personal data if they are not getting a share of the rewards, irrelevant as to whether they are getting a service for free. Some will object on ethical grounds. Some will reject the concept as the risk of data breaches or leaks is deemed too great. Some will feel uneasy as there are still so many unknowns regarding the darker corners of the world wide web.
Irrelevant as to why an individual might not like the current status quo, as there has been no alternative, it has mattered little. The introduction of an alternative presents a lot of unknown scenarios. More moving parts will have to be factored into risk assessment protocols. It presents uncertainty, which is the enemy of profit.
Interestingly enough, Becerra seems to have learnt the residents of Silicon Valley have very elusive lawyers. Also included in the rules are definitions of those who would be subject to the rules. The company would have to:
- Have revenues in excess of $25 million
- Buy, receive, or sell the personal information of 50,000 or more consumers, households, or devices
- Derives 50% of annual revenues from selling data
These are quite crafty conditions and could potentially cover every type of organization out there. The lawyers will have to be on top-form to find the grey areas here.
The rules still have to negotiate the turns and throws of the political aisles before the digital economy gets too worried, but California is setting the pace when it comes to tackling privacy concerns in the US.