The Management Series

To sign up for our newsletter, please click here.

Jun 2018

Will Californians Approve Tough Internet Privacy Rules?

New internet privacy rules took effect in Europe June 1, requiring compliance not just from EU companies but any U.S. firms that have an EU presence. So what’s the status of privacy rules in the United States?

Congress is toying with the notion of enacting privacy rules in the United States, and some legislation has been introduced. But it’s unlikely there will be action soon. The ultimate shape of a new federal law is far from predictable.

But what Congress can’t do California just might.

Backers of the California Consumer Privacy Act submitted more than enough signatures last month to put the initiative on the ballot in November. Election officials have yet to certify the measure, but approval is expected. In many regards, it is broadly similar to the General Data Protection Regulation (GDPR), which has taken effect in the European Union. (Read the June Leader’s Edge magazine article “Overseas Oversight” to learn more about how GDPR will affect U.S.-based insurance brokers and whom it covers outside of the European Union. GDPR applies to those with an EU presence but can apply under other circumstances as well.)

While the proposed California law would apply only in the state, it could ultimately affect the entire nation since many large companies would likely find it too costly to adopt one set of rules for California customers and another for everyone else—a testament to the size of the state’s economy.

This is how The New York Times “Silicon Valley Faces Regulatory Fight on Its Home Turf” described the thrust of the initiative: “The California measure has three major components: It gives consumers the right to ask companies to disclose what data they have collected on them; the right to demand they not sell the data or share with third parties for business purposes; and the right to sue or fine companies that violate the law.”

Some privacy activists believe consumers should have the right to bar companies from using their data at all. But the California proposal takes a less hardline approach.

“Companies can still use personal data for their own purposes to sell advertising or improve products. They would be restricted, however, from selling or disclosing that data to someone else for ‘business purposes’ upon a consumer’s request,” the Times says.

Even if the measure is certified, the proposal could still face fierce opposition: Silicon Valley and large internet companies nationwide are mounting a huge and costly effort to kill the initiative.

Alan Friel, an expert on consumer protection and privacy law in the Los Angeles office of the firm BakerHostetler, fears the law could have a drastic effect on online advertising and companies that supply it.

Writing on the BakerHostetler Data Privacy Monitor blog, Friel discusses both the California proposal and the leading privacy bill in Congress. He says while the federal legislation would allow people to forbid targeted ads based on their private information, it would allow companies to charge those users for use of their sites or otherwise change the rules of access—as does the EU’s GDPR.

But the California proposal would “not only restrict the ability of publishers and service providers of currently free-to-consumer, advertiser-supported content and services to require consent to interest-based advertising, but also prohibit them from even pricing access to interest-based-ad-free content and services differently than access to interest-based-ad-supported content,” Friel says.

Friel also worries the legal standards governing the right to sue section of the initiative are tilted toward consumers and “would make filing claims very attractive to class action lawyers if it were to pass.”

If you need to catch up on the GDPR and make sure you understand what your firm needs to do, The Council recently held an audio-only webinar, “GDPR at the Eleventh Hour.”