As the UK struggles to chart out its post-Brexit response to GDPR, other geographies are going ahead with their own privacy initiatives inspired by the European Union’s regulation. California joined the list on 1 January, bringing the California Consumer Privacy Act (CCPA) into effect.
The implications of the Act will be felt in the UK too, privacy regulation experts told SC Media UK.
Cleared unanimously in June 2018, the legislation -- the first US legislation to have a comprehensive group of regulations around consumer data -- came to effect after braving strong dilution attempts from the powerful tech lobby in the country.
Stripped to the bones, the law allows residents of California to see the data about them collected by companies, know whether the data was sold and which companies bought it, direct businesses to stop selling that data to third parties and even demand deleting the entire dataset.
Companies, from tech giants Apple, Google and Facebook to public service websites that accesses user information, come under the ambit of the law.
A day before the law came into effect, Mozilla announced it'll give the users of Firefox the option to delete the data collected by the company. The option will be present in the version of the browser to be released on 7 January.
Although Firefox does not collect browsing history or searches, users will be able to delete telemetry data, which has the details of the number of tabs open and the duration of browsing sessions.
Microsoft said in a November blog post that it would apply CCPA norms to all users across the US.
"California is home to innovative IT companies that operate globally. As CCPA comes into force, this law will change how personal data is handled in California and may affect how businesses operate beyond this state," said Dyann Heward-Mills, CEO of HewardMills, which provides data protection support for multinational companies.
"For example, Californian consumers are protected when their data is collected in their home state and may have some rights – like the right to access – on information collected beyond the state’s boundaries when a business operates in multiple jurisdictions. Given that the ad tech space is a key focus of this regulation, we are likely to see companies adapt their practices over the coming months."
Any company operating in the UK that meets the conditions for compliance set forth in the CCPA is required to abide by the law, Attila Tomaschek, digital privacy expert at ProPrivacy, told SC Media UK.
"In other words, any company in the UK that serves California residents online and collects the data of over 50,000 Californians, generates enough annual revenue, or makes the majority of its money from data collection will need to comply. This is regardless of whether the company is based in the UK, or based in California but with operations in the UK," he said.
Californian companies with operations in the UK are expected to be in compliance, and likely will simply offer the same privacy protections to UK residents rather than cater separately for individual populations, he noted.
"Similarly, it would also be practical for any applicable UK-based organisation that serves California residents to simply apply the CCPA protections to all of its customers across the board. The CCPA will therefore undoubtedly have significant implications for both businesses and consumers in the UK."
The influence of GDPR is evident as CCPA has adopted many of the core data privacy principles, Tomaschek pointed out.
"Both laws give consumers substantial new privacy rights and ownership of their personal data, and both laws seek to hold companies accountable for the proper and secure collection and processing of consumer data by levying considerable fines for violations," he said.
"The GDPR and CCPA are certainly the torchbearers in the push for increased data privacy rights for consumers, and are inspiring other states and countries to enact similar legislation. For instance, the states of New York, Massachusetts, Hawaii, Maryland, and North Dakota have all proposed privacy legislation that closely reflects the tenets applied by the GDPR and CCPA."
In addition to the US and the EU, other regions around the globe have taken steps to push data privacy laws for their own residents. Brazil’s data protection law is set to take effect this February, while India’s data protection regulations and New Zealand’s updated Privacy Bill are expected to take effect sometime in 2020.
"What this new law comes down to is giving consumers the right to take back control over their information from thousands of giant corporations," wrote Alastair MacTaggart, chair of the group Californians for Consumer Privacy.
The consumer privacy group had sponsored a ballot initiative to circumvent the legislature and put the Privacy Act to a vote.
"This is about power: the more a company knows about you, the more power it has to shape your daily life. That power is exercised on the spectrum ranging from the benign, such as showing you a shoe ad, to the consequential, like selecting your job, your housing, or helping to shape what candidate you support in an election," he wrote in the Californians for Consumer Privacy website.
However, getting CCPA running still remains to be done, as the California attorney general is yet to adopt implementing regulations concerning the act, said Heward-Mills.
"Businesses will need to consult their data protection officers, consultants and legal advisors and promptly act on recommendations. I expect to see changes made after the law goes into effect that take more niche industries and a wider range of possibilities into account."
"Although federal privacy legislation seems inevitable at some point in the future, the timetable for enacting a national privacy law in the US is even murkier as hyper-partisan members of Congress are failing to agree or compromise on key aspects of how such a law should be applied," warned Tomaschek.
In this situation, CCPA stands as an important and significant step that goes in favour of consumer data privacy protections, not just in California or in the US, but globally as well, he observed.
"Consumers are finally being granted the fundamental rights to take ownership of and protect their valuable, sensitive personal data, and significantly limit the ways in which companies can process that data. The CCPA, along with the GDPR, is demonstrating that robust data privacy regulations are here to stay and that they have the power to spur genuine, global progress towards properly protecting the data rights of consumers around the world," he said.
Data regulation is not going away and the more companies can do to get ahead of this curve, the better off they will be, said Heward-Mills.
"Data collection and processing is becoming a highly regulated industry and organisations cannot afford to stand still on this wave of legal change."