The European Union’s recently enacted General Data Protection Regulation laws affect more than just European internet users. Because of GDPR, which became enforceable Friday, any business or entity that operates in the EU or provides services to EU citizens — including some brick-and-mortar retailers —is now required to provide users with a way to access their own data, as well as information about when their data is being collected and how to delete their data if they so choose.
People in the U.S. get to reap many of these benefits, too, like being able to download your data and being notified when there’s a breach, but GDPR’s ripple effect has an additional benefit: motivating U.S. lawmakers and other groups to get serious about similar regulations stateside.
Enter the California Consumer Privacy Act. If successful, the ballot initiative — first drafted in November and submitted May 3 with about 625,000 signatures — would give consumers greater control over their personal information.
According to a summary of the proposal, consumers would have the right to know what kind of personal information businesses are collecting about them; the entities to which their information is sold or disclosed; and the right to prevent businesses from sharing said data. The proposed legislation also calls for civil penalties for businesses who fail to adhere to its regulations and would allow consumers to sue businesses for data breaches.
“You have the right to tell a business not to share or sell your personal information,” the website reads. “You have the right to know where and to whom your data is being sold.”
The proposed bill was crafted by Californians for Consumer Privacy.
“With GDPR, once a company gets consent from a user it’s business as usual, not much is going to change,” Alastair Mactaggart, the group’s campaign chair, said in a phone interview.
Though GDPR benefits consumers globally, internet users may not be able to rely on Europe to fight everyone’s privacy battles.
“The protections that GDPR offers, when it comes to U.S. consumers, are offered voluntarily by the company,” Neema Singh Guliani, legislative counsel at the American Civil Liberties Union, said in an interview. “Even though GDPR provides benefits globally, it doesn’t eliminate the need for privacy law in the U.S. or the need for an apparatus to ensure that if a customer is not given a right, that they can take [a company] to court.”
The California proposal is different from GDPR in that it would require more transparency from companies on how consumers’ data is utilized and shared.
This isn’t the only bill in the works that emphasizes consumer privacy. Federal lawmakers have introduced legislation like the CONSENT Act and the Social Media Privacy Protection and Consumer Rights Act, both of which are aimed at establishing data and privacy protections.
Mactaggart noted that California often establishes precedent when it comes to progressive lawmaking in the U.S., pointing to car emission standards as one example. “If this passes in California, it will pass in the rest of the country,” Mactaggart said.
According to Singh Guliani, pressure is mounting for the U.S. to catch up to Europe. “There’s a greater sense of urgency given what’s come out over the past several months, and given what laws other countries adopt in response,” he said.
Prior to GDPR, most of the privacy heat has fallen on Facebook with regard to the Cambridge Analytica scandal and the social media giant’s overall business model. But companies like Google and even online quiz providers are also guilty of collecting similar data. The enforcement of GDPR — and the deluge of privacy update emails it spawned — have placed an even greater spotlight on online privacy.
In this post-GDPR world, it’s worth noting that some lawmakers have previously made attempts to enact data and privacy protections — with little success. Rep. Bobby Rush (D-Ill.), for example, reintroduced the Data Accountability and Trust Act back in 2011, while former Sen. John Kerry (D-Mass.) tried to garner support for the Commercial Privacy Bill of Rights Act that same year. The Consumer Privacy Bill of Rights, an initiative introduced by the Obama administration in 2012, did relatively little to keep the privacy of internet users intact.
A Republican-controlled Congress rolled back those protections in 2017.
The California Consumer Privacy Act focuses on similar provisions that would prioritize the protection of consumer privacy. However, the recent surge of public concern over privacy issues help these measures pass.
“This is something people are focused on more than they were two years ago, thanks to Cambridge Analytica,” Mactaggart said. “Our initiative skips [the] legislature and goes straight to the voters, so everything that makes voters more aware of the lack of control they have over their own data helps.”
Mactaggart also addressed the fact that tech and innovation often move faster than lawmakers. “How do you make a law in 2018 that’s still relevant in 2025?” Mactaggart said.
The answer to this, he said, is in a particular section of the California Consumer Privacy Act that reads: “The attorney general may adopt additional regulations as necessary to further the purposes of this act.” This would allow the state’s attorney general to update the act as necessary as new technology emerges.
Future-proofing a privacy bill is nearly impossible, but letting the right people make a judgement call offers a good start. The other option: a foundation of baseline rights crafted using common sense.
“Technology is moving faster than the laws that can govern it, and it’s tough to predict what laws we may need next,” Singh Guliani said. “Things like user consent, transparency and data portability are very important for users. It won’t solve every issue, but it’s a necessary piece of every legislation.”