Why GDPR Is Just the Tip of the Iceberg

I’d anticipated at the beginning of this year that we may be reaching a tipping point where privacy regulation that can have a significant impact on businesses gains real traction in the U.S. Indeed, we are half way through the year and there have been some major developments.

However, so much attention this year has been on the EU’s new privacy regulation (GDPR) effective in May that some big privacy law changes domestically have been somewhat overlooked.

Most significantly, California passed AB375 also called the California Consumer Privacy Act of 2018. Part of the problem was that the bill was jammed through the system as part of a deal struck by legislators. Parties that were pushing for a state privacy ballot initiative agreed to withdraw the initiative if the legislation passed. As a result, the bill was introduced, passed both houses and was signed by the governor all in one week right before summer recess.

In a state that has a 2 year legislative session in which many bills are carried over for a 2nd year, a one-week turnaround is highly unusual. Despite the flaws with the bill, however, it is at least better than the privacy ballot initiative that it replaced.

AB375 still made sweeping changes to privacy requirements for businesses that deal with personal data or that have gross revenues of more than $25 million. Businesses that receive for commercial purposes or deal in personal information of 50,000 or more devices, consumers or households are affected regardless of revenue as are those who derive more than 50% of revenue from the sale of personal information.

Personal information is defined broadly and includes anything that could be linked, directly or indirectly, with an individual. The new law specifically includes browsing history, search history and any information on how a user interacts with a website, app or ad.

Just some of the privacy requirements imposed are as follows:

  • Consumers can demand companies disclose all of the information that has been collected about them and how it is used.
  • Consumers can demand the deletion of their personal information.
  • Consumers can opt-out of the sharing of any personal information about them to another company and cannot be discriminated against for doing so. E.g. no charging different prices or offering discounts unless reasonably related to the value of the data.
  • Consumers who experience a data breach have a private right of action with statutory damages up to $750 per consumer per incident or actual damages.

The law doesn’t take effect until January 2020. Meanwhile, starting this week, there is an effort underway to clean up the bill language from the inevitable flaws caused by cramming the original bill through so quickly.

Another bill that was passed this past legislative session was a data broker bill in Vermont. The new law requires anyone who trades in data that contains personal information to register with the state. That registration requires disclosure of some detailed information such as the nature and types of sources used to compile data, how consumers may opt out, details of any prior data breaches, and data collection practices. Data brokers are also required to develop standards to protect personal data.

Before you disregard the new law as being from a relatively obscure jurisdiction, understand that legislators often look at what other states are doing and copy language from successfully implemented laws.

Both of the above new laws in California and Vermont are the first of their kind. It is likely that other states will soon adopt versions of these laws in addition to tackling a variety of privacy issues and exploring ways to regulate them.

These privacy laws not only present risk and legal exposure to a business, but also affect how data can be used and its effectiveness. Anticipate these changes and have a long-term plan for adopting to new regulations and accommodating increased privacy restrictions. Making small changes along the way is much easier than a reactionary overhaul that becomes necessary.

Leave a Reply

(Comment Guidelines)



First Name

Last Name

Company Name

Email Address