Now that the General Data Protection Regulation in Europe has taken effect and begun wreaking havoc, it’s worth looking at GDPR-like laws being put on the table in the U.S. Last month, a couple senators introduced the CONSENT Act. And later this year, California will vote on a privacy law that has already earned the ire of Facebook and Google.
Like GDPR, the California Consumer Privacy Act aims to draw people’s attention to the personal information that companies collect from them and how that information can make its way into other companies’ hands. But the similarities don’t extend much further than that.
Is the California Consumer Privacy Act just the US version of GDPR?
Hardly. Like GDPR, the California act gives people the right to know what information companies collect about them. But very much unlike GDPR, the California bill wouldn’t require companies to get people’s permission to collect their information in the first place. Companies wouldn’t even have to let people opt out of having their data collected.
“It gives an expanded right to know and an opt-out requirement once the request is made. Contrast that with a knowing consent requirement under the GDPR,” said Ron Camhi, managing partner at law firm Michelman & Robinson’s Los Angeles office and chair of its advertising and digital media industry group.
What would it require?
Companies would have to tell California residents what kind of personal information they collect, but only if the resident asked to know. Then, if a company sells or shares that information with another company, it would have to tell the person who those other companies are, but only if asked. And if the company sells the information — but only if they do — the person could ask the company to stop selling it, and the company would have to honor the request.
Only California residents?
Yep, and only when those people are located in California. If an Angeleno is visiting New York, they wouldn’t be covered. But considering California counts roughly 40 million residents, it’s unlikely that a company doing business in the U.S. would be able to avoid the law, if passed.
OK. So what counts as ‘personal information’?
All kinds of information. It includes the standard stuff like a person’s name, mailing address, Social Security number and driver’s license number as well as their digital equivalents, such as a person’s email address, unique ID and IP address. It also covers demographic data like race or ethnicity, plus gender and job-related data.
But it would also include people’s web browsing and search histories and any information tied to what people do on a site or app, or how they interact with an ad. And e-commerce sites like Amazon and third-party data providers like Acxiom and Datalogix would be affected by the inclusion of data related to what products people buy and what services they use. The act also looks to head off how data from the “internet of things” ecosystem can be used by including face-, voice- and health-related data. Finally, any information inferred from the aforementioned information (like a company inferring someone is a new parent because they bought baby food) would be subject to the law.
People would be able to ask companies for what types of personal information they collect, and companies would be required to tell them. And if a company sells or shares that information “for business purposes,” a person could ask which types of information were sold or shared and to whom, and the company would have to tell them.
What are ‘business purposes’?
It’s vague. Regarding advertising, it includes a lot of the programmatic processes that put ads on a site or app, such as impression measurement, viewability verification and ad serving. And if a company uses other companies for things like customer service, payment processing or cybersecurity and shares people’s personal information through that work, that would also qualify.
So unless a company operates its site or app in complete isolation — without any programmatic ads or traffic analytics software — it’s probably collecting people’s personal information and sharing it for business purposes?
But the company can keep collecting people’s personal information and sharing it for business purposes, so long as it complies with people’s requests to know what kind of information is being collected and who it’s being shared with?
And even if a company sells a person’s information and that person asks it to stop, the company can still collect that information?
What do the tech companies like Facebook and Google think about it?
They’re not fans. Both Facebook and Google — as well as AT&T, Comcast and Verizon — have donated $200,000 apiece to the Committee to Protect California Jobs, an organization that is lobbying to oppose the bill. Since donating to the organization — and coinciding with Facebook’s Cambridge Analytica scandal — Facebook and Verizon have withdrawn their support of the opposition group, though not the money they had already sent.
Facebook, Google, AT&T, Comcast and Verizon all either dominate or want to dominate the digital advertising industry by using people’s data to target them with ads. So this is an anti-ad targeting bill?
Not according to Alastair Mactaggart, campaign chair of the committee behind the bill, Californians for Consumer Privacy. “We still allow advertising, and we still allow targeted advertising,” he said. And Facebook has already curbed the use of third-party data to target ads on its platform.
So why are Facebook and Google opposed to the bill?