By Contributing Author
Most of us know that too much data about everyone is floating about online, even though we put most of it up ourselves. However, while we nominally have control over who can see the content that we post to our social media pages, Cambridge Analytica showed us how someone can build bots and data scrapers to go and collect our data even if we think we posted it privately.
There are now entire businesses that are built upon data that is scraped from other sources. For example, price comparison websites will scrape data from a variety of sources in order to determine what others are charging. Similarly, there are businesses that scrape services like LinkedIn for data, which they then analyze. They can then sell the results of these analyses as business intelligence.
Many people are wary of putting any more of their personal data than they absolutely have to online. Unfortunately, people often feel pressured by businesses and other organizations, who are eager for them to share as much as possible.
The introduction of GDPR throughout the EU highlighted just how weak the United States data protection laws are at the federal level. However, a new law introduced in California could have nationwide repercussions and could force a US-wide rethink of the way that we approach data.
California Consumer Privacy Act
The new California Consumer Privacy Act goes further than any other state law has before in granting individuals authority over their own personal data. Many analysts are already speculating that the new California law will be the first of many introduced at the state level to address deficiencies in federal legislation. Ultimately, if enough States implement such laws, a federal version may well come into force. However, for now, this California law is the best in the nation when it comes to safeguarding personal data.
Not only does the law restrict who has access to someone’s data once it has made its way online, but it also grants people the right to not only opt-out of any data collection, and ask the companies what their reason for collecting the data is. Consumers will also be able to find out much more about which third-party businesses are able to access the data, and businesses will have to be more transparent about who they are sharing data with.
This new law doesn’t just apply to individuals. It also applies to the household and any devices associated with that household.
There are three key pillars of the California Consumer Privacy Act. The right to know, the right to delete, and the right to opt-out.
The right to know simply means that consumers have the legal right to ask a business how and why it collects, uses, and sells their personal data.
The right to delete is similar to the right to be forgotten that has existed in the EU for some time. This means that consumers are able to request that any personal data a business holds on them is deleted.
Finally, the right to opt-out means that consumers must have the option to opt-out of the sale of their personal data. Any customers under the age of 16 cannot have their personal data sold unless they have specifically opted into the process. The customer aged 13 or under must opt-in through a parent or guardian to have their data collected.
What Does This Mean For The Future?
The new laws are undoubtedly a good thing for consumers in California. However, the effects of this new law will likely be felt across the nation. Any business wishing to do business in California is going to have to abide by these new regulations. For many businesses, it’s going to be easier to make these new policies and procedures standard across the entirety of their business. After all, if the analysts are correct, then this new law will be the first of many passed at the state level.
The response from businesses has been mixed, although this largely seems to be out of self-preservation rather than any serious objection to the new law. One report cited by CNN claimed that businesses might find themselves paying as much as $55 billion in order to ensure compliance.
However, many others have pointed out that a significant portion of the businesses affected will have already had to make adjustments in order to comply with the EU general data protection regulations. As a result, it should cost significantly less for many of these businesses to bring themselves into compliance with California’s new regulations.
The same report released by the California Department of Finance estimated that firms with fewer than 20 employees would not have to pay more than $50,000 to bring themselves into compliance. However, larger firms with more than 500 employees would find themselves paying an average of $2 million.
In any case, businesses have until the 1st of January 2020, when the law goes into effect, to make sure that they are compliant. There will also be a period of leniency for 6 months after January 1.
Over the last couple of decades, the disparity in consumer protections in the United States and the EU has been laid bare by the introduction of numerous consumer-friendly regulations in the latter. The introduction of GDPR in the EU brought the issue into sharp focus.
Globally, governments have been slow to react to changes in technology. This is reflected in the fact that we still do not regard internet access as a human right; nor do we regard people’s personal data as being their property. The notion that we should have any rights at all when it comes to our data is a relatively new one. It is also one largely born out of necessity after both governments and private corporations have mishandled or personal data.
Hopefully, California’s new law will be the first of many introduced at the state level. Who knows? This could ultimately lead to the kind of federal regulations that many tech industry analysts have been screaming for a while now.