California Ballot Initiative May Bring GDPR Stateside
A new proposed ballot initiative wants to bring a strict data privacy law to California, but some of California's largest tech companies are against it.
June 22, 2018 at 11:47 AM
6 minute read
Sacramento State Capitol building on Capitol Way. In the years leading up to implementation, the European Union's General Data Protection (GDPR) was framed as a contrast point to U.S. privacy laws. While European regulators were busy building an elaborate consumer privacy framework, U.S. businesses were operating with little explicit regulation. The California Consumer Privacy Act, a ballot initiative put forth by a group of California residents, may put in place the largest sweeping consumer data privacy protections in the country. The ballot initiative could go before California voters in November and promises to fundamentally readjust how tech companies and attorneys think about data privacy domestically. The proposed initiative would allow California consumers to find out if and how their data is being used and refuse to allow companies to sell it to third parties. The bill also carries steep penalties for compliance failures and applies to any business who gets more than half of its revenue from consumer data sales or has gross annual revenues over $50 million. announced an agreement on Thursday evening between $1000 and $3000 per compromised individual should they fail to comply. |
Privacy in Perspective
Much like existing data breach notification laws in various states, legislation like the California Consumer Privacy Law is likely to have a national sweep. Internet-based companies tend to serve consumers across all 50 states, meaning the policies they put in place are likely to affect at least some California residents. That said, it doesn't apply universally. Newmeyer & Dillion partner Anne Kelley explained, “If the business is outside of California, if the consumer whose data is being collected is not a California resident, [and] if all of the conduct takes place outside of California, then this will not apply.” Moving a data collection operation entirely outside of California is much easier said than done. The state is the home of Silicon Valley, which houses some of the biggest technology companies on the planet and therefore some of the world's biggest consumer data holders. Some of California's largest tech companies have already come out against the ballot initiative. Digital Reports noted technology and telecom groups Facebook, Google, AT&T, Verizon, Microsoft, Uber and Amazon have all made large contributions to a lobbyist group called Committee to Protect California Jobs (Facebook, according to The Verge , recently pulled its donation and backing from this group). Part of their concern, as CompliancePoint senior vice president and general manager Greg Sparrow noted, stems the rigidity of the language. Unlike breach notification laws, the language of the California ballot initiative will not undergo the kind of legislative reworking process as state-sponsored legislation. “There is no rewrite of this. There is no revision. It goes into law as is if it's approved. That's a very scary thing for a lot of companies right now,” Sparrow said. If approved, companies will have a nine-month window to prepare before the policy takes effect. |
'GDPR-lite'
The proposed legislation looks a lot like the GDPR, but some are split as to whether the California policy is likely to hit companies harder or softer. Kelley called the policy “GDPR-lite,” pointing to some of the lower barrier standards and penalty structure that California's proposed policy intends to put in place. But other some ways, California's proposal introduces complications for technology companies that could be more stressful than the GDPR. Class action litigation related to data breaches currently requires litigants to show that they've been specifically harmed by the exposure of their data, which hasn't been easy. Under the California proposed legislation, that burden is substantially reduced. “That's part of what scares everybody here, is there really doesn't have to be any harm done. If you can show there was a breach ... you have a right to sue them,” Sparrow said. Jonathan Fairtlough, a managing director with Kroll's Cyber Security and Investigations team, noted the harm requirement is “a significant increase over the current requirements of harm,” something that could put companies at a higher risk for litigation. GDPR uses an opt-in standard, requiring users to expressly consent to the use of their data by third parties and other sales, but California's proposal intends to use an opt-out policy, which instead could require companies to allow users to expressly deny use of their data for these purposes. If users do opt out, Fairtlough said, “Then there isn't any fair use of the information.” Some in California's technology community are concerned about the potential damper the ballot initiative could have on new data-based businesses. “If you build and app and if that app collects information, if you're trying to monetize that app by selling ads, and you don't have an opt-out capability, you're going to be in violation. If you do [have an] opt-out capability and people do opt out, you might not be able to make enough revenue to generate the information, and you're going to have to build a compliance structure around it,” Fairtlough explained. |
Paving the Way for Privacy
California consumers, however, may not be able to wait for a more business-friendly policy. High profile data exposure incidents in the last year, such as the Equifax data breach and Facebook's data sharing with political consulting group Cambridge Analytica, have raised significant consumer concern about data privacy rights. While both incidents prompted congressional hearings, neither resulted in congressional legislation. Indeed, the ballot initiative drafters created a bill far less concerned with Silicon Valley's input than that of consumers. “When you look at the text, it's very much been written from the side of the consumer,” Sparrow said of the proposed legislation. Alan Brill, senior managing director with Kroll's Cyber Security and Investigations practice, believes that, regardless of whether the initiative is approved by voters in November, technology and data-based organizations would do well to begin moving toward enacting better consumer controls for data.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Gibson Dunn Sued By Crypto Client After Lateral Hire Causes Conflict of Interest
- 2Trump's Solicitor General Expected to 'Flip' Prelogar's Positions at Supreme Court
- 3Pharmacy Lawyers See Promise in NY Regulator's Curbs on PBM Industry
- 4Outgoing USPTO Director Kathi Vidal: ‘We All Want the Country to Be in a Better Place’
- 5Supreme Court Will Review Constitutionality Of FCC's Universal Service Fund
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
