While both the California Consumer Privacy Act and Europe’s General Data Protection Regulation address the collection of personal information by businesses, they are actually quite different.
Here’s where they diverge and why the advertising trade orgs are lobbying like bandits to block the California act’s passage. The IAB, DMA, ANA, 4As and NAI decried the proposed legislation Thursday in a joint webinar.
(The proposal has more than enough signatures to get on the ballot, although the final decision won’t be made until June 25. If it does make it on, which is highly likely, the initiative could be voted into law during the general election in November.)
CA vs. EU
First off: legitimate interest. There’s no such concept in the California action.
The ePrivacy wild card aside, GDPR allows for legitimate interest as a legal basis to process data for direct marketing. Ad tech companies and other third parties are hitching their star to legitimate interest as a way to continue collecting data or analytics tracking without having to get consent.
Second: the definition of personal information. Beyond all the usual stuff – email address, Social Security number, driver’s license number – the proposal considers browsing, search history and app interaction data to be personal, as well as any inferences drawn from the data collected.
“The practical application of this definition contains virtually every data point we can think of,” said Dan Jaffe, group EVP of government relations at the Association of National Advertisers.
Third: consent. Under GDPR, consent is the gold-standard legal basis for data processing, and companies need to obtain it proactively. The California law would stick with the status quo in terms of an opt-out regime – consumers would need to actively request that their data not be collected – but it also proposes more stringent restrictions on data collection and use.
For example, businesses would not be able to deny service or change service in any way if a consumer opts out and could only ask consumers to reconsider their opt-out preference once a year.
Next up: fines. They’re steep. Infractions such as the failure to disclose on request all of the categories of information collected and the failure to disclose all the third parties with whom personal info was shared both would result in a minimum $1,000 fine per person per violation.
“That could quickly add up to millions or billions of dollars for companies doing business in California,” said Alison Pepper, SVP of government relations at the 4As.
Which leads to enforcement. Beyond official enforcement by the attorney general or a district attorney, the California act includes the private right of action, which means consumers can sue companies directly for alleged violations.
“There’s the possibility of dual action for the same enforcement: the attorney general going after you for a public action and [trial] attorneys going after you for a private action,” Pepper said.
No harm, all foul
The advertising trade orgs are particularly miffed by a section of the California initiative that would allow private consumers to seek redress for “injury in fact,” meaning they wouldn’t have to prove harm, economic or otherwise, before bringing a suit, which could open the door to class-action lawsuits, Jaffe said.
In other words, any violation would automatically be considered harm.
“The mere fact of somebody’s IP address being released or their browser information when they went to go find the weather or look up a sports score – if that kind of information leaked, [consumers] would be able to sue,” he said, “and that could mount up to millions of pieces of information very easily.”
This is contrary to how the Federal Trade Commission approaches enforcement, which requires the consumer to prove harm before it takes any action.
“The kicker of this is that it flies in the face and vitiates every notion we had about harm,” said Brad Weltman, VP of public policy at the Interactive Advertising Bureau.
The California Consumer Privacy Act is almost guaranteed a spot on the ballot.
Alastair Mactaggart, the wealthy former real-estate-developer-cum-privacy-champion who’s already spent nearly $3 million of his own money to advance the cause, has submitted more than 670,000 signatures to the California secretary of state, although the initiative doesn’t need even half as many to make it onto the ballot. Even if a large portion of the signatures are invalidated, it’s nearly assured that there’ll be enough to pass it through.
If the initiative does become law, its effect on US businesses will extend beyond California, which has a population of almost 40 million. “It’s kind of hard to do business in this country and completely ignore California,” Pepper said.
Companies would be subject to the law if they do any business in California and either have gross revenue of $50 million or more, sell or share information on 100,000 California residents or devices and/or get 50% or more of their annual revenue from selling personal info.
“California then becomes the baseline for every other state,” said Chris Oswald, VP of advocacy at the ANA-owned Data & Marketing Association. “Other citizens living in other states are going to be bound by California, which is crazy.”