In the period of just a week, California passed a bold new privacy law — the California Consumer Privacy Act of 2018. This law was hurried through the legislative process to avoid a proposed ballot initiative with the same name. The ballot initiative was the creation of Alastair Mactaggart, a real estate developer who spent millions to bring the initiative to the ballot. Mactaggart indicated that he would withdraw the initiative if the legislature were to pass a similar law, and this is what prompted the rush to pass the new Act, as the deadline to withdraw the initiative was looming.
There are others who summarize the law extensively, so I will avoid duplicating those efforts. Instead, I will highlight a few aspects of the law that I find to be notable:
(1) The Act creates greater transparency about the personal information businesses collect, use, and share.
(2) The Act provides consumers with a right to opt out of the sale of personal information to third parties and it attempts to restrict penalizing people who exercise this right. Businesses can’t deny goods or services or charge different prices by discounting those who don’t opt out or provide a “different level or quality of goods or services to the consumer.” However, businesses can do these things if they are “reasonably related to the value provided to the consumer by the consumer’s data.” This is a potentially large exception depending upon how it is interpreted.
(3) The Act allows businesses to “offer financial incentives, including payments to consumers as compensation,” for collecting and selling their personal information. Financial incentive practices cannot be “unjust, unreasonable, coercive, or usurious in nature.” I wonder whether this provision will undercut the restriction on offering different pricing or levels of service in exchange for people allowing for the collection and sale of their information. Through some clever adjustments, businesses that were enticing consumers to allow the collection and sale of their personal data through different prices or discounts can now restructure these into “financial incentives.”
This cartoon is based on a fairly recent trend – countries that are requiring data localization. Data localization involves requirements that personal data collected in a certain country reside on servers within that country’s borders.
Here are some articles on data localization worth looking at:
On Wednesday, the U.S. Court of Appeals for the 11th Circuit issued its long-awaited decision in LabMD’s challenge to an FTC enforcement action: LabMD, Inc. v. Federal Trade Commission (11th Cir. June 6, 2018). While there is some concern that the opinion will undermine the FTC’s power to enforce Section 5 for privacy and security issues, the opinion actually is quite narrow and is far from crippling.
While the LabMD opinion likely does have important implications for how the FTC will go about enforcing reasonable data security requirements, we think the opinion still allows the FTC to continue to build upon a coherent body of privacy and security complaints in an incremental way similar to how the common law develops. See Solove and Hartzog, The FTC and the New Common Law of Privacy, 114 Columbia Law Review 584 (2014).
For global organizations as well as organizations in the EU, the GDPR has brought significant attention and resources to privacy. Finally, many executives are beginning to take privacy seriously. As I recently wrote in my article, Prime Time for Privacy, at Bloomberg Law:
The GDPR has taken privacy to the next level. Before the GDPR, nothing had fully gelled around what protecting privacy actually entailed. The consequences of poor privacy were also rather vague in many cases. There was no clear blueprint for protecting privacy. Organizations would do just one or two things, such as provide a notice of privacy practices and keep data secure, and then claim they were protecting privacy. But they were only doing a fraction of what was truly needed to protect privacy.
The GDPR has changed all that. It provides a blueprint for protecting data that is more thorough and complete than nearly any other privacy law. The GDPR contains provisions that require governance measures, data mapping, assessment, data protection by design, and vendor management, among other things. It provides for individual rights such as the right to access one’s data, the right to request restrictions on data use, the right to be forgotten, and the right to data portability. The GDPR has a broad definition of personal data, and it applies across different industries, so it provides a comprehensive baseline of privacy protection.
Now, privacy professionals can point to a definitive source of the various norms, best practices, standards, and rules that have long existed in fragmentary form. The GDPR has penalties that will keep the CEO awake at night. Privacy professionals can point to it and say, “This is what we need to do, and this is why.”
In the past few weeks, with enforcement of the General Data Protection Regulation (GDPR) beginning on May 25, countless organizations launched emails and pop up notices about changes in their privacy notices in light of GDPR. This cartoon pokes a little fun at the blizzard of changed privacy notice notices.