California is leading the way on data privacy

Last year was a big year for privacy. The introduction of the EU’s General Data Protection Regulation (GDPR), coupled with data leaks at big multi-national organisations, pushed the subject out into the mainstream. It was a “big bang” moment for data, and one which has given birth to a range of new oversights – as well as a growing consumer movement for transparency and assurances on how their personal information is used and safeguarded.

In the US, interest in the GDPR provisions have been such that comparable bills have been drafted, or introduced, across more than a dozen states – with California’s Consumer Privacy Act (CCPA), arguably, the standout in the field.

The CCPA, which is set to come into force on 1 January 2020, follows much of the GDPR blueprint, in terms of consumer rights to know what information is being collected about them, and how this data can be accessed, and, where necessary, deleted. However, a key differentiator is its focus. For, whereas the GDPR is centred squarely on personal use, the CCPA’s preoccupation is commercial and contains opt-out rather than opt-in permissions for end users. It also only applies to businesses that have annual gross revenues in excess of $25 million, possess personal information of 50,000 or more consumers, and that earn at least 50 percent of their annual revenue from selling or sharing consumers’ personal information.

So, there are some limitations. But, even with these, the CCPA represents a huge step forward for California and the wider country – with the bill seen as a blueprint, or model, for other US states.

We need only look at legislative action in places such as Texas, Mississippi and New York to get an idea of the interest the GDPR and CCPA has engendered. All of the proposed bills in these states mirror the contents of the CCPA, for the most part, while in Hawaii, the scope is broader still, a la the GDPR, to encompass all residing, or operational, businesses in its jurisdiction.

The buzz around the CCPA’s provisions and roll-out, and data privacy more generally, has also got Capitol Hill talking. Lawmakers of all sides have praised California for taking the lead on the subject of data privacy, and some have called on the Federal Trade Commission (FTA) to draft up a pan-state bill for congressional approval. For this cross-party tranche, the CCPA presents an immediately transferable model that could be applied across the country – and, in turn, bestow upon Americans a uniform set of rights. “There needs to be a national-level regulation, not state-by-state on what we’re going to do about privacy,” said one lawmaker in a recent interview. “We should know what data you keep on us. We should be able to take our data and be able to delete our data.”

It’s a reasonable ambition. But it’s not without issue or bulwark. For, already, there’s been pushback by lawmakers in states where legislation will shortly come into effect – with many expressing scepticism at the idea of a superseding federal bill, which could water down provision. There’s also been considerable disagreement about how far the prospective legislation should go, and the potential impacts an overriding bill could have state authority. “States have been at the vanguard of protecting Americans”, a spokesperson for the House Speaker, Nancy Pelosi, told the Wall Street Journal. “They have all benefited from state privacy and data breach laws… so their role as policy innovator and law enforcer must be respected”.

It’s a difficult field, and it seems there’s still some way to go before we’re likely to see federal legislation. For, indeed, it’s true that, to pass such a bill, legislators would have to surmount – and, indeed, pre-empt – established procedure. They’d also be adopting a model that’s not yet in play, or that’s received proper scrutiny. Some lawmakers, including those in California and Texas, where a comparable bill has now been introduced, argue, reasonably, that it would be better to wait and survey the performance of these state-level laws before looking at a pan-state solution.

They may well be right and the winning force in this debate – at least for now. But the genie is out of the bottle, and the subject of privacy is not going to go away, as other state-level bills come into effect. The traction and clamour for change is welcome, for us all. For consumers, it will provide a means of oversight, and an ability to intercede, on how their personal information is used. While, for businesses, it retains a crucial human-based connection, founded on trust. These are necessary components as we enter a new digital age – and its almost certain that bills such as the GDPR and CCPA will be viewed, by posterity, as significant milestones on this road.

Barry Cook is Privacy and Group Data Protection Officer at VFS Global, an outsourcing and technology services provider that operates in 147 countries on behalf of 63 client governments (including the UK and US)