Will California’s Privacy Law Extend to the Rest of the Country?
If businesses voluntarily apply the California Consumer Privacy Act nationwide beginning in 2020, the implications for American privacy could be significant.
California became the first state in the country last month to adopt sweeping changes to its privacy law following Europe’s adoption of the General Data Protection Regulation (GDPR) and the Cambridge Analytica scandal at Facebook. The law will no doubt have a significant effect on the operations of tech companies given that many of them are located in Silicon Valley or elsewhere in California. Even those companies outside of California are going to need to comply with the privacy law or face the loss of a significant consumer market.
Many are expecting the California provisions to be adopted nationwide by large companies, such as Google and Facebook, rather than apply different standards in different states. However, the real question is not whether Facebook and Google do so, because they already pledged to implement their privacy protections for GDPR to Americans. Instead, the question is what those businesses which did not have to comply with GDPR in the first place do.
Why would businesses decide to apply across the United States a privacy law that governs their relationship with less than 15% of the people? We have come up with a few different reasons:
1. The Auto Emissions Theory
Sometimes, it is more costly to comply with two standards than it is to simply bring the product into compliance with the toughest standard. This happened with auto manufacturers when California set tough fuel emission standards in the past. Instead of producing special low emission vehicles for California, the automakers decided to sell the same vehicles elsewhere even though the laws there did not require the same tough emissions standards. As a result, consumers everywhere benefited from California’s law.
The same could happen for many businesses with respect to privacy. Companies could decide that it is cheaper and easier to provide everyone the same rights rather than attempt to divide users between those jurisdictions which protect privacy and those which have not yet adopted strong protections.
2. Bad Press
Privacy has been a hot topic in the media lately. Companies that choose to not protect privacy risk the significant costs of negative press on their approval among consumers and their stock price. Most companies can’t afford to face the onslaught from a privacy scandal the way Facebook did.
A study published in the Harvard Business Review earlier this year found that increasing transparency about data privacy practices and giving control back to users over their data has a beneficial effect on consumer trust during a privacy incident.
The media is going to continue to look for privacy problems to flag to consumers. Businesses that do not adapt to the new environment are going to find it costly to do business without protecting privacy.
3. Privacy as a Competitive Advantage
Europe has already declared that data privacy is the future of business and technology. California has done so as well.
Companies that do the minimum necessary to comply with privacy laws risk finding out that consumers actually do care about privacy now and they are losing business to companies that put privacy first. By the time they find out that the world has changed, it may be too late for them to catch up.
If all else is equal between two products in the market, savvy consumers in today’s environment are going to lean toward buying the one that has better privacy protections. This is as true here in Pennsylvania as it is in California where there was support for an even tougher privacy law. Businesses in a competitive market can not afford to cede this advantage to one of their competitors.
4. Limit Regulation by the Federal Government
It is clear that there is at least some support in Congress for businesses offering the same privacy protections for everyone. If businesses want to head off congressional action, their best shot may be to start giving everyone the strongest privacy protections.
Senator Ed Markey already submitted a resolution to the U.S. Senate calling on companies to apply the privacy protections included in the General Data Protection Regulation (GDPR) to the citizens of the United States. Senate Resolution 523, as it is called, was introduced in Congress on the day before GDPR went into effect and was referred to the Committee on Commerce, Science and Transportation for consideration. The resolution has three co-sponsors.
The proposed Senate Resolution includes the suggestion that GDPR covered entities use opt-in, freely given, specific, informed and unambiguous consent from users as the primary legal basis for processing, or find another legal basis under the GDPR. The resolution also asks data processors to limit their data processing to the specific purpose stated to the individual, institute special protections for children’s data, and implement appropriate oversight over third party data processors.
The proposed Senate Resolution also calls on them to respect the rights of an individual to revoke consent for processing at any time, to not be subject to automated decisionmaking with significant effects, to know what entities have access to their data and how it will be used, to correct inaccurate or incomplete data, and to data portability.
If the Senate passed this Resolution, it would not presented to the President for signature and would not have the force of law. Nevertheless, the calls for companies operating in Europe and California to provide the privacy protections to everyone are likely to grow as California’s new privacy law goes into effect in 2020.
Voluntary adoption of the California protections nationwide would be a step towards obviating the need for federal regulations like the Consent Act or Browser Act. It may not be sufficient to halt Congress given the Facebook scandal, but it would at least be a small signal questioning the need for government action.
5. Recognition of the Inevitable
A number of businesses responded to GDPR by closing down shop in Europe. These businesses no doubt decided that compliance costs exceeding $1 million and the possibility of fines up to 4% of annual revenue outweighed the businesses benefits of operating in the European market.
The “go dark” strategy may work for some American businesses that have a minimal presence in Europe. But it will not work for very long as more jurisdictions adopt new privacy laws. Can companies operating online in the United States afford to shut off their business in California? Probably not.
Companies are going to need a business model and technology that works in the current climate favoring enhanced privacy. California has given companies 18 months to figure out how to both do business and protect privacy. Once changes are made to comply with the new law, there is nothing stopping residents from New York, Massachusetts, and other states from demanding these rights and protections as well. California has started the ball rolling. Rather than fight to squeeze every last dollar of profit out of the old system, companies can get on board and be a leader advocating for what is best for their customers and users.
There are no doubt reasons and situations that are going to call into question the voluntary adoption of these privacy rights nationwide. To start, the case for voluntary adoption of the protections by businesses with a retail, offline presence outside of California is much less clear. There is also a significant possibility of changes in the current law. Given the bill’s speedy journey through the California legislature, there are probably going to be amendments to it. The longer the law is in flux, the less likely people are going to support extending it to other jurisdictions ahead of its effective date.
We will be closely following issues like this one with the California Consumer Privacy Act in order to ensure that our privacy software is able to handle the needs of our customers. Rest assured that we will be able to help businesses regardless of which decision is right for them.
More from Clarip
Read the latest posts on the Clarip Privacy Blog.
Discover the benefits of the Clarip data mapping software for your GDPR Article 30 Records of Processing Activities and Article 28 Vendor Risk Management.