Data Privacy Regulation Comes Stateside: A Look at California's Consumer Protection Laws

Back in June, the California state legislature passed one of the more stringent data privacy laws to date affecting United States citizens. Building on many of the same tenets of the infamous General Data Protection Regulation (GDPR) from the European Union, the bill -- dubbed the California Consumer Privacy Act (CCPA), A.B. 375 -- was designed to put safeguards in place for consumers stateside that are currently missing on the federal level.


While data privacy has been the topic du jour in the digital world -- especially among Silicon Valley giants in the wake of the Cambridge Analytica scandal -- there has been very little done to date to protect consumers from the digital companies we interact with on a near-constant basis.

In its simplest terms, the CCPA extends many of the “rights” that were established for citizenry of the EU as part of GDPR to residents of the Golden State, where many of the world’s largest data-driven businesses are headquartered. This includes the right for consumers to know what information companies are collecting about them, why the data is being collected in the first place and who the data gets passed onto.

To that end, the new law -- which won’t actually go into effect until January 2020 -- makes it easier for consumers to take legal action against companies in the event of a data breach, a la the landmark Equifax debacle that was uncovered in the summer of 2017. Children under the age of 16, too, enjoy greater protections, as the law makes it more difficult for companies to share or sell their data.

As stringent as the regulation may be, it’s still tamer than a proposed ballot initiative that would have tied even more restrictions to companies had the approved bill not made it through the legislature in June. While not nearly as expansive as the GDPR, the CCPA still empowers consumers to make companies delete their information, while restricting businesses from sharing personal data.

The state’s attorney general also enjoys more freedom to fine companies that violate the CCPA, which is a boon to consumers far outside of California. This places the impetus on global corporations headquartered in the state (looking at you, Facebook) to change their data privacy policies en masse rather than take a piecemeal, “per geography” approach.

A challenge and an opportunity for digital businesses

What the law really does is help companies continue making positive strides where data privacy is concerned that they should have been racing to complete years ago.

Leading up to the May 2018 GDPR start date, companies the world over were repeatedly warned that incremental changes will only leave them on the hook for hefty noncompliance fines -- in some cases, up to 4 percent of the company’s annual revenue, or 20 million Euro, depending on which has the most impact.

Despite having more than two years to start overhauling their practices -- from when GDPR was signed into law and when the policy went into action this past spring -- companies the world over are still, by and large, unprepared to comply.

While this may paint a bleak picture for businesses that have been dragging their feet to meet compliance, these companies need to reframe their mindset and view the CCPA and GDPR as an opportunity to streamline their operations. Businesses can tidy up and overhaul their data stores and dedicate data privacy officers to make sure the information they collect is not only legal, but that it will actually have the most value for the business.

To learn more about how mobile can help open the door to compliance and help companies better reach their target customers, download our latest ebook, or call to schedule a demo with Localytics today.