Sacramento State Capitol Sacramento State Capitol building on Capitol Way. In the years leading up to implementation, the European Union's General Data Protection (GDPR) was framed as a contrast point to U.S. privacy laws.  While European regulators were busy building an elaborate consumer privacy framework, U.S. businesses were operating with little explicit regulation.  The California Consumer Privacy Act, a ballot initiative put forth by a group of California residents, may put in place the largest sweeping consumer data privacy protections in the country. The ballot initiative could go before California voters in November and promises to fundamentally readjust how tech companies and attorneys think about data privacy domestically. The proposed initiative would allow California consumers to find out if and how their data is being used and refuse to allow companies to sell it to third parties. The bill also carries steep penalties for compliance failures and applies to any business who gets more than half of its revenue from consumer data sales or has gross annual revenues over $50 million. announced an agreement on Thursday evening between $1000 and $3000 per compromised individual should they fail to comply.

Privacy in Perspective

Much like existing data breach notification laws in various states, legislation like the California Consumer Privacy Law is likely to have a national sweep. Internet-based companies tend to serve consumers across all 50 states, meaning the policies they put in place are likely to affect at least some California residents. That said, it doesn't apply universally. Newmeyer & Dillion partner Anne Kelley explained, “If the business is outside of California, if the consumer whose data is being collected is not a California resident, [and] if all of the conduct takes place outside of California, then this will not apply.” Moving a data collection operation entirely outside of California is much easier said than done. The state is the home of Silicon Valley, which houses some of the biggest technology companies on the planet and therefore some of the world's biggest consumer data holders. Some of California's largest tech companies have already come out against the ballot initiative.  Digital Reports noted  technology and telecom groups Facebook, Google, AT&T, Verizon, Microsoft, Uber and Amazon have all made large contributions to a lobbyist group called Committee to Protect California Jobs (Facebook, according to The Verge , recently pulled its donation and backing from this group). Part of their concern, as CompliancePoint senior vice president and general manager Greg Sparrow noted, stems the rigidity of the language. Unlike breach notification laws, the language of the California ballot initiative will not undergo the kind of legislative reworking process as state-sponsored legislation. “There is no rewrite of this. There is no revision. It goes into law as is if it's approved. That's a very scary thing for a lot of companies right now,” Sparrow said. If approved, companies will have a nine-month window to prepare before the policy takes effect.

'GDPR-lite'

The proposed legislation looks a lot like the GDPR, but some are split as to whether the California policy is likely to hit companies harder or softer. Kelley called the policy “GDPR-lite,” pointing to some of the lower barrier standards and penalty structure that California's proposed policy intends to put in place. But other some ways, California's proposal introduces complications for technology companies that could be more stressful than the GDPR. Class action litigation related to data breaches currently requires litigants to show that they've been specifically harmed by the exposure of their data, which hasn't been easy. Under the California proposed legislation, that burden is substantially reduced. “That's part of what scares everybody here, is there really doesn't have to be any harm done. If you can show there was a breach ... you have a right to sue them,” Sparrow said. Jonathan Fairtlough, a managing director with Kroll's Cyber Security and Investigations team, noted the harm requirement is “a significant increase over the current requirements of harm,” something that could put companies at a higher risk for litigation. GDPR uses an opt-in standard, requiring users to expressly consent to the use of their data by third parties and other sales, but California's proposal intends to use an opt-out policy, which instead could require companies to allow users to expressly deny use of their data for these purposes. If users do opt out, Fairtlough said, “Then there isn't any fair use of the information.” Some in California's technology community are concerned about the potential damper the ballot initiative could have on new data-based businesses. “If you build and app and if that app collects information, if you're trying to monetize that app by selling ads, and you don't have an opt-out capability, you're going to be in violation. If you do [have an] opt-out capability and people do opt out, you might not be able to make enough revenue to generate the information, and you're going to have to build a compliance structure around it,” Fairtlough explained.

Paving the Way for Privacy

California consumers, however, may not be able to wait for a more business-friendly policy. High profile data exposure incidents in the last year, such as the  Equifax data breach and Facebook's data sharing with political consulting group Cambridge Analytica, have raised significant consumer concern about data privacy rights. While both incidents prompted congressional hearings, neither resulted in congressional legislation. Indeed, the ballot initiative drafters created a bill far less concerned with Silicon Valley's input than that of consumers. “When you look at the text, it's very much been written from the side of the consumer,” Sparrow said of the proposed legislation. Alan Brill, senior managing director with Kroll's Cyber Security and Investigations practice, believes that, regardless of whether the initiative is approved by voters in November, technology and data-based organizations would do well to begin moving toward enacting better consumer controls for data.