On Thursday, California Gov. Jerry Brown signed what looks like the boldest data privacy bill in the country — and the reverberations could shake retailers in the West Coast and beyond.
The goal is to safeguard consumer data, which has become a hot-button issue in the era of Target and Equifax hacks and misuse of Facebook user data. Prescriptively, the statute aims to regulate companies’ privacy practices and give consumers the final say over how their information is used, though the policy takes on a somewhat transactional tone. Customers who let companies sell their data could be compensated in the form of discounts, while those who opt out could be charged, based on what the business would have made.
The legislation covers California residents only, but it begs comparisons to the European Union’s General Data Protection Regulation, which took effect in May. Both measures demand that tech providers, retail companies and others that deal in user data do more to protect it, especially when it comes to security, privacy and permissions.
But there are differences, and the nuances matter.
Under both, the consumer has a right to request that businesses delete any personal information, noted privacy and data security attorney Dave Stauss. But with GDPR, “there are consent requirements — you get consent up front from consumers.” This refers to the “opt-in” style of user permissions, which kicks in before companies use the data, versus “opt-out,” which applies after the fact. “That doesn’t exist [in the California statute], with the caveat that there’s an underage provision for 16 years or younger for parental consent,” he said.
Stauss, a partner at the firm Ballard Spahr, represents clients from start-ups to multibillion-dollar companies across numerous sectors, including retail. He added that GDPR also lists third-party requirements, so “if you’re transferring information, if you have third-party service providers, you’re required to button that up.…That’s not really in the California legislation.”
That particular aspect could impact brands and stores that have partnered with technology providers on data-driven features, like personalization, fitting, styling, product recommendations and more.
Those distinctions speak to another major issue with the new rules: The bill, which was put forth by Assemblyman Ed Chau, was crafted hastily and its language is vague, which means it’s difficult to ascertain just how they’ll be applied and who could be affected.
Brown inked the measure within hours after lawmakers voted, most likely to prevent a similar proposal from San Francisco real estate developer Alastair Mactaggart from appearing on November ballots. The latter, which has been pulled, would have been more difficult to amend.
As for the current legislation, it doesn’t go into effect until Jan. 1, 2020, so there’s some time to flesh out the details. There are plenty to hammer out. “GDPR is a 90-page legislation, plus or minus, with working groups publishing guidance. And there’s still tons of ambiguity,” Stauss explained. “And here you have a 10-page law with no publishing guidance.”
That doesn’t stop Sen. Robert Hertzberg, the bill’s coauthor, from believing other states will follow his state’s lead: “We in California are taking a leadership position with this bill. I think this will serve as an inspiration across the country.”
It may serve as more than just inspiration. Online purveyors know that e-commerce and other digital services don’t hew to geographical lines. In addition, maintaining separate sets of policies may be prohibitively complex or expensive for companies. The end result could be sweeping changes applied to consumers broadly, not just in California.
Stauss believes the rules will affect companies in different ways, based on their size, the measures they have in place already and other details. But regardless, the statute — whatever it winds up being — will likely be an ongoing point of intense interest for retailers, tech companies and state legislatures across the nation.