Anytime a new statute or regulation comes along some service providers can’t help but jump on the fearmongering bandwagon. This seems to be worse the longer the statute, and the more complex and obscure (and therefore hard to verify) its provisions.
Earlier this year I published an article titled “Firms Breed Misconceptions and Confusion Surrounding the GDPR” that focused on inaccuracies that were being published about the European General Data Protection Regulation (“GDPR”). With the GDPR less than two weeks in force, and the urgency surrounding company’s push to get GDPR compliant by the enforcement start-date waning, there now seems to be a rise in fearmongering about the next big potential privacy legislation on the horizon – the California Consumer Privacy Act of 2018.
The Act is not an “act” at all – it is an initiative that may appear on the ballot in California during the November elections. Consultants, bloggers, and, sadly, some well-respected law firms, have hyped the initiative as “very similar to the GDPR,” and a “sweeping, GDPR-like privacy regime.”
This is simply irresponsible and misleading.
While the ballot initiative proposes some interesting, and arguably misguided, privacy requirements, few of those requirements have any analog within the GDPR. Furthermore equating the California initiative to the GDPR masks its real aim, purpose, and danger.
To help decipher the ballot initiative, and provide a frame of reference against the GDPR, the chart linked here compares the core requirements of the GDPR against the core requirements of the California ballot initiative. As it indicates, the ballot initiative only impacts 3 of the 12 core requirements found within the GDPR. With regard to those three requirements, the substantive impact of the initiative (putting aside the penalty structure) is tangential at best. For example, the GDPR requires that almost every company subject to its jurisdiction provide a privacy notice to data subjects about whom the company collects information. The California ballot initiative does not contain a similar requirement. Instead, it tweaks the components of what to include within a privacy notice, without changing the pre-existing requirements found within the California Online Privacy Protection Act (“CalOPPA”) concerning when a privacy notice must be provided. As another example, the GDPR provides data subjects with a right to access the personal information that a company maintains about them. The California ballot initiative does not require that consumers receive a copy of the personal information that companies hold about them; only that they be told the “categories” of information that were collected about them and where that information was transmitted. Again this amounts to more of a tweak to the pre-existing California Shine the Light Act rather than an emulation of the GDPR.
That is not to say, of course, that the California Consumer Privacy Act of 2018 is uneventful or uninteresting. If passed it would have far reaching substantive and practical implications.
The substantive meat of the ballot initiative can be found in its proposal that consumers should have a right to opt-out from the sale of their personal information, and in its proposal that companies should be precluded from offering free versions of their services (e.g., a free app) in exchange for the right to market consumer information and a paid version of their services (e.g., a subscription app) where there would be no right to market consumer information. The disruption that such prohibitions could have on the ability of companies to innovate on-line, and to provide free service offerings to consumers should not be underscored.
The practical meat of the ballot initiative is found in the draconian statutory damages that it would create (i.e., between $1,000 and $3,000 per consumer), the relaxation on the traditional common law requirement that a plaintiff must show that they have been harmed to seek recovery, and on the definition of “business” that hones the impact of the initiative on only large well-funded organizations.
Lawyers, consultants, and service providers have done a disservice to their clients by equating the ballot initiative to the GDPR. While it may grab clients’ attention, it hides the real story behind the ballot initiative which is that it is built to benefit the class-action plaintiffs’ bar at the expense of consumer choice, and has little to do with furthering true privacy interests.