California moves a step closer to EU membership

On Thursday, California passed the ‘California Consumer Privacy Act of 2018 (AB 375),’ otherwise known as the ‘Cross-Atlantic GDPR Migration Act.’*

Under threat of a far more concerning privacy referendum, the tech industry agreed to forgo their typical anti new data rules position, to the let the bill pass into law virtually unopposed.

AB 375 won’t be enforceable until January 2020, but this is a watershed event for the US privacy and data driven tech communities.

Those of us that have been immersed in the European GDPR over the last several years will find many of AB 375’s provisions familiar:

• Privacy as a fundamental human right. This is not a new notion in California law, but it is a recurrent theme throughout the law, and it highlights a general framing of privacy as a human rights issue that is of a piece with GDPR.
• A broad definition of personal data. We’ve written before about the Death of PII. GDPR defines personal data in a manner that clearly includes devices identifiers like cookie IDs, mobile IDs, lat/long, etc. AB 375 builds on this expansion to include IP addresses and browsing history by explicit reference, among a long list of itemized additional inclusions.
• Rights of access, to be forgotten, to cease processing, etc. The phrasing isn’t always the same as GDPR, but the list of itemized rights to transparency and control of AB 375 appear to be lifted directly from GDPR. AB 375 extends these rights and in many cases requires more prescriptive approaches for how companies must fulfill these rights.
• Serious fines. AB 375 provides for a private right of action in certain circumstances and AG fines of up to $7,500 ‘per violation.’ If violations are determined on a per impacted user basis, this would scale up very quickly.

Web-scale companies aren’t going to set aside specific compliance regimes for the EU, and now California, just so that they can preserve alternative tactics and lesser privacy controls for the other 49 states. California is effectively setting a new legislative floor for the US, and they are borrowing heavily from the EU as they plan out their remodel.

Now … despite the fact that this bill has been passed, we don’t think we’re looking at the final version of the law that will be enforced in 2020.

Today’s text was passed in a chaotic sprint, under duress, that lead to sloppiness and unintended consequences that will need to be straightened out. Industry allowed this version to pass in no small part because they expect to have opportunities to work with legislators on amendments over the next 18 months. Of course, we don’t expect industry to have free reign with the revisions, as that pesky referendum can return at any moment if the parties do not appear to be acting in good faith.

From where we sit on the calendar, it’s too early for companies to invest in literal translation of AB 375 into pragmatic commercial implications.

But it is not too early to take stock of the larger context for the bill:

• When the feds sleep, states fill the vacuum. The FTC is falling back on a more explicit ‘harm based’ enforcement model. The FCC is rolling back privacy rules. The US Congress is unable or unwilling to pass baseline privacy legislation. This leaves a massive vacuum that looks only more conspicuous when you observe the rules that are being passed not only in the EU, but across APEC and South America. In this environment, we predicted that left leaning states in particular would see especially strident legislative and AG driven enforcement activity.
• Those ‘crazy Europeans’ might actually be setting a global course. In the EU, we have GDPR. Across the rest of the globe, we have major markets pursuing legislative ‘fixes’ to achieve ‘adequacy’ for ease of trade with the EU. While many in the US were asleep and calling the Europeans crazy, a global movement was afoot. It was only a matter of time before the US realized that they were the odd one out. EU standards are now crossing our threshold.
• Smart companies will be planning a global GDPR footprint. In this environment, smart companies are beginning to plan for higher global standards. Elevated rules have a way of sorting markets and companies that are inoculated in advance will be ready to capture business from companies on the wrong side of disruption. Further, no company wants to be on the tail end of a movement for greater transparency and trust in data practices.
• Partner up with the companies that have direct consumer relationships. The global movement towards transparency and accountability throughout the data value chain gives companies with direct consumer relationships a huge advantage over companies that have no way of building consumer trust directly. If you have this consumer relationship, recognize and capitalize on your advantage. If you do not have this relationship, can you move closer to clients and partners that do? How can you become a critical enablement partner to companies with direct consumer relationships, such that they would want to invite you under their trust umbrella?

While we will be tracking the particulars of AB 375 as it continues to evolve through the amendment process, the most important elements of the larger narrative have already been written.

* this isn’t so … at least not explicitly.

If you found this piece valuable, please give us a few hearty claps and follow us for ongoing updates. We also welcome discussion — please leave your comments and feedback in a response below!

The Lucid Privacy Group actively manages privacy strategy and operations, and serves as DPO, for startups and marketing technology companies. We come at the issues with a pro-privacy, product and technology orientation, and can translate arcane legalese into real world, pragmatic terms. Drop us a line at hello@lucidprivacy.io or visit us on the web or Twitter.