Login | February 19, 2019

California passes its own GDPR

Law and Technology

Published: July 27, 2018

Over the objections of California’s big data companies like Google and Facebook, the state has recently passed tightened data privacy laws that echo the EU’s General Data Protection Regulation (GDPR). Which brings up the question: do all these companies now regret locating in Cali?

California’s new law is called the Consumer Privacy Act, signed into law by Governor Jerry Brown on June 28, to go into effect January 2020. Since 80 percent of businesses in the EU weren’t ready for GDPR when it took effect May 25, what percentage of businesses do you think will be ready for this? Write your answer on a $20 bill and send it to me at the paper here.

CCPA has been dubbed “GDPR Lite” by journalists who may or may not know what “GDPR Heavy” might be. But the law has some of the most powerful features of GDPR, allowing California residents to control their data in ways they have not been able to do before this.

The law allows consumers to know what information companies are collecting about them, why they are collecting that data and who they are sharing it with. Like the GDPR, consumers are given the ability to tell companies storing their data to delete their data, to not share their data, and to not sell it. Users can opt out from a company's terms of service (TOS) without losing access to its offerings (recognizing, finally, that TOS terms are actually an illegal adhesion contract, which I’ve been saying forever). Data companies are also barred from selling data on anyone under the age of 16 without explicit consent.

And there are penalties, although not nearly as severe as GDPR penalties (which may explain the “GDPR Lite” thing). The law makes data companies responsible for all breaches of their data. Boom. Consumers can sue for up to $750 for each violation. And the Cali AG can sue for

$7,500 for each intentional violation of privacy.

The fines obviously don’t matter to companies like Google and Facebook (or Target or any bank). But who knows what an AG investigation would turn up when looking into a data breach or violation of this law? And the bad publicity data breaches always bring. And since most people do some kind of business with a California company, most people are protected by this law. And since California always takes the lead on these things, look for other states to follow suit. Ohio will be next!