Home Privacy How The California Consumer Privacy Act Stacks Up Against GDPR

How The California Consumer Privacy Act Stacks Up Against GDPR


While both the California Consumer Privacy Act and Europe’s General Data Protection Regulation address the collection of personal information by businesses, they are actually quite different.

Here’s where they diverge and why the advertising trade orgs are lobbying like bandits to block the California act’s passage. The IAB, DMA, ANA, 4As and NAI decried the proposed legislation Thursday in a joint webinar.

(The proposal has more than enough signatures to get on the ballot, although the final decision won’t be made until June 25. If it does make it on, which is highly likely, the initiative could be voted into law during the general election in November.)

CA vs. EU

First off: legitimate interest. There’s no such concept in the California action.

The ePrivacy wild card aside, GDPR allows for legitimate interest as a legal basis to process data for direct marketing. Ad tech companies and other third parties are hitching their star to legitimate interest as a way to continue collecting data or analytics tracking without having to get consent.

Second: the definition of personal information. Beyond all the usual stuff – email address, Social Security number, driver’s license number – the proposal considers browsing, search history and app interaction data to be personal, as well as any inferences drawn from the data collected.

“The practical application of this definition contains virtually every data point we can think of,” said Dan Jaffe, group EVP of government relations at the Association of National Advertisers.

Third: consent. Under GDPR, consent is the gold-standard legal basis for data processing, and companies need to obtain it proactively. The California law would stick with the status quo in terms of an opt-out regime – consumers would need to actively request that their data not be collected – but it also proposes more stringent restrictions on data collection and use.

For example, businesses would not be able to deny service or change service in any way if a consumer opts out and could only ask consumers to reconsider their opt-out preference once a year.

Next up: fines. They’re steep. Infractions such as the failure to disclose on request all of the categories of information collected and the failure to disclose all the third parties with whom personal info was shared both would result in a minimum $1,000 fine per person per violation.


AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

“That could quickly add up to millions or billions of dollars for companies doing business in California,” said Alison Pepper, SVP of government relations at the 4As.

Which leads to enforcement. Beyond official enforcement by the attorney general or a district attorney, the California act includes the private right of action, which means consumers can sue companies directly for alleged violations.

“There’s the possibility of dual action for the same enforcement: the attorney general going after you for a public action and [trial] attorneys going after you for a private action,” Pepper said.

No harm, all foul

The advertising trade orgs are particularly miffed by a section of the California initiative that would allow private consumers to seek redress for “injury in fact,” meaning they wouldn’t have to prove harm, economic or otherwise, before bringing a suit, which could open the door to class-action lawsuits, Jaffe said.

In other words, any violation would automatically be considered harm.

“The mere fact of somebody’s IP address being released or their browser information when they went to go find the weather or look up a sports score – if that kind of information leaked, [consumers] would be able to sue,” he said, “and that could mount up to millions of pieces of information very easily.”

This is contrary to how the Federal Trade Commission approaches enforcement, which requires the consumer to prove harm before it takes any action.

“The kicker of this is that it flies in the face and vitiates every notion we had about harm,” said Brad Weltman, VP of public policy at the Interactive Advertising Bureau.

Beyond borders

The California Consumer Privacy Act is almost guaranteed a spot on the ballot.

Alastair Mactaggart, the wealthy former real-estate-developer-cum-privacy-champion who’s already spent nearly $3 million of his own money to advance the cause, has submitted more than 670,000 signatures to the California secretary of state, although the initiative doesn’t need even half as many to make it onto the ballot. Even if a large portion of the signatures are invalidated, it’s nearly assured that there’ll be enough to pass it through.

If the initiative does become law, its effect on US businesses will extend beyond California, which has a population of almost 40 million. “It’s kind of hard to do business in this country and completely ignore California,” Pepper said.

Companies would be subject to the law if they do any business in California and either have gross revenue of $50 million or more, sell or share information on 100,000 California residents or devices and/or get 50% or more of their annual revenue from selling personal info.

“California then becomes the baseline for every other state,” said Chris Oswald, VP of advocacy at the ANA-owned Data & Marketing Association. “Other citizens living in other states are going to be bound by California, which is crazy.”

Must Read

Comic: An ID Bridge Too Far?

Programmatic Companies Wrestle With ID Bridging And What Counts As Fraud

In January, the Chrome browser removed third-party cookies for 1% of users, to facilitate testing of the Privacy Sandbox –  and a new controversy was born.

It’s Open Season On SaaS As Brands Confront Their Own Subscription Fatigue

For CFOs and CEOs, we’ve entered a kind of open hunting season on martech SaaS.

Brian Lesser Is The New Global CEO Of GroupM

If you were wondering whether Brian Lesser was planning to take some time off after handing the CEO reins of InfoSum to Lauren Wetzel last week – here’s your answer.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters
Comic: S.P. O'Middleman's

TripleLift CEO Dave Clark Abruptly Exits After Setting The SSP On A New Trajectory

Dave Clark, who’s led TripleLift for the past two years, is stepping down, effective immediately, and is being replaced by a coterie of TripleLifters.

shopping cart

Moloco Invests In Its Competitor Topsort As The Retail Media Stakes Go Up

Topsort can lean into Moloco’s algorithmic personalization, while Moloco benefits from Topsort’s footprint with local retailers in the US and in Latin America.

CDP BlueConic Acquires First-Party Data Collection Startup Jebbit

On Wednesday, customer data platform BlueConic bought Jebbit, which creates quizzes, surveys and other interactive online plugs for collecting data from customers.