The European Union’s General Data Protection Regulation caused global consternation among business owners and technology providers when it went into effect last month, and it may even be spurring a need for innovation in data and artificial intelligence. But closer to home, in the state of California, a proposed regulation could impact almost every business in the United States.
If it passes and is signed into law in November, the California Consumer Privacy Act would establish groundbreaking new consumer privacy rights throughout the country. The California act mimics the heavy regulations of the GDPR and could become one of the broadest privacy laws in the nation.
“Both regulations aim to provide protections to the consumer. They both define personal data in a very broad sense, provide specific consumer rights, as well as expect organizations to be transparent about the personal data collected and processed,” says Greg Sparrow, Senior Vice President and General Manager at CompliancePoint, a firm that provides compliance consulting and audit services for marketers.
According to Sparrow, the California Consumer Privacy Act would require organizations to outline that they protect the personal data of consumers with appropriate and reasonable technical and security controls. The regulation would also include a private right of action. Violations would carry large fines that could add up quickly.
Although the initiative hasn’t been officially certified by California just yet, it has already received more than 600,000 signatures—almost double the number needed to be placed on the ballot. If it passes, it will become enforceable immediately after the November election.
What sounds like a state-specific regulation would actually impact businesses around the country, as it applies to any organization that works with any California residents. That puts businesses that work online—not just in the technology sector, but in a number of other industries, as well—firmly in the crosshairs.
“Businesses will need to be capable of honoring a consumer’s request to opt out of the sale of their data,” Sparrow says. “They must clearly and quickly provide information to consumers about the categories of personal data that they collect, and what organizations the personal data is sold to.”
The measure would require businesses to place a link on their homepages titled, “Do Not Sell My Personal Information.” Consumers who click on the link would then be able to opt-out of having their data sold or shared. Organizations could still collect users’ data and target ads, but they would have to disclose the categories of information and characteristics being collected.
In Sparrow’s view, the passage of the California act would offer consumers more insight into how companies are leveraging their personal data for profit and how much of that data is already sold. The regulation would also help consumers feel more confident that companies are protecting their data appropriately. If not, those businesses would face consequences.
But the regulation would also place a new burden on businesses, which will have to start thinking outside of just revenue and profit when it comes to profiting on user data.
“This regulation will force companies to take a strong look at the personal data in their possession, how it’s used, who it’s shared with, and how to manage collection and sale of it moving forward,” Sparrow says.
One of the biggest upsides, from both a consumer and business perspective, is that the new regulation would likely reduce the number of opt-outs, making it a “win-win for organizations and consumers,” according to Sparrow.
Even though the California act doesn’t reach the ballot until November, Sparrow says there are things businesses should be doing now to prepare. First and foremost, he says companies should start defining personal data within their environments. They also need to compile data maps and data inventories of the personal data they currently collect. This should include who the data is used for, when the data was sold, for what purpose it was sold, and who the data was sold to.
“Companies must also begin thinking about how to manage the opt-outs [they] will receive from consumers who no longer wish to have their data sold for marketing purposes,” Sparrow says. “Companies should think about this strategically as to how they can provide value to the consumer while being transparent how the consumer benefits.”
Stephanie Miles is a senior editor at Street Fight.