Living life on your phone? Change is coming

The United States: The California Consumer Privacy Act

Following the withdrawal of a ballot initiative8 that would have yielded much stricter protections, the California Consumer Privacy Act (CCPA) was passed by the state legislature in 2018, coming into force on 1 January 2020.

As with the GDPR, the CCPA was a dramatic step forward for consumer privacy not only within its own territory, but in adjacent jurisdictions, with many companies extending measures taken to comply with the CCPA across all their US operations.⁹

CCPA does not grant consumers the right to correct erroneous data, object to or restrict processing, nor prevent automated decision-making. It also does not insist that firms have a 'legal basis' for collecting and using personal data or restrict the processing of held data in other countries, whereas GDPR places strict requirements around the conditions under which the data of EU nationals can be stored or processed offshore.

California was the first US state to institute such sweeping reform to privacy laws, and a number of others are now following suit. This has led to calls for overarching Federal legislation¹⁰ to minimise the cost of compliance to US businesses, although a number of companies, including Microsoft and Apple, are instituting CCPA compliance across the country.¹¹

Other initiatives to consider

A number of other jurisdictions are undertaking reform in the area of privacy and data protection.

Following the report of the recent Digital Platforms Inquiry, the Australian Government has committed to a review of the country’s Privacy Act,¹² intended to strengthen requirements around notification and consent, increase penalties for breaches, and allow a right of direct action for consumers whose privacy has been breached.

Brazil’s own version of the GDPR also comes into effect in 2020. The legislation largely mirrors its EU counterpart,¹³ with further exemptions carved out for credit assessment and a somewhat less punitive schedule of penalties.

India also has a new Personal Data Protection Bill before Parliament, which is notable for mandating storage of information on local severs and raising concerns about the considerable latitude given to government agencies¹⁴ under the pretext of national security and public order.

As with the GDPR, the CCPA was a dramatic step forward for consumer privacy not only within its own territory, but in adjacent jurisdictions, with many companies extending measures taken to comply with the CCPA across all their US operations.”

Ongoing complications

Despite the progress made over recent years to empower consumers in relation to the use of their personal information, it is likely that these reforms will be an ongoing process. Not every aspect of these measures has been straightforward to implement; data portability, in particular, is a work in progress for many jurisdictions.

In addition, despite the additional requirements around notification and consent, it is difficult to imagine that, given the volume and complexity of such information served at consumers on a daily basis, consent is truly informed and freely given. It is more likely that very few of us are reading each of these statements in detail, and that the average data subject is not significantly more informed about the ways in which their personal information is being used than was the case before these reforms were implemented.

Solutions to these issues may be more likely to come from the private sector than for government, and many tech companies are already staking out positions on privacy as part of their USP.¹⁵ Under this paradigm, users place their trust in a brand to protect their right to privacy rather than understanding every detail as to how their data is used.

Regardless of whether the answer lies in regulation or in reputation, the 'wild west' era of unfettered use of online data is well and truly over, and as our lives become ever-increasingly connected it will be essential that consumers can be more confident of their rights in this space and the measures being taken to uphold them. People in their various capacities – as private citizens, company directors, business owners – and the like – will not escape the far-reaching net of change.  

¹ Gordon S. & Ram A. (2018), Information wars: How Europe became the world’s data police, Financial Times, 20 May 2018
² https://www.forbes.com/sites/tomcoughlin/2018/11/27/175-zettabytes-by-2025/#3bd8e39b5459
³ European Commission (2019), General Data Protection Regulation: one year on, Media Release, 22 May 2019
⁴ Gordon S. & Ram A. (2018), Information wars: How Europe became the world’s data police, Financial Times, 20 May 2018
⁵ https://www.wsj.com/articles/techs-pickup-of-new-data-privacy-rules-reflects-eus-growing-influence-1525685400
⁶ https://www.wsj.com/articles/5-questions-about-what-to-expect-when-gdpr-takes-effect-1527154200
⁷ https://www.bbc.com/news/business-48905907
⁸ https://www.washingtonpost.com/technology/2019/09/25/privacy-activist-california-launches-new-ballot-initiative-election/
⁹ https://www.nytimes.com/2020/01/15/technology/data-privacy-law-access.html
¹⁰ https://www.nytimes.com/2019/10/14/opinion/state-privacy-laws.html?auth=login-google
¹¹ California gets tough on data privacy breaches. The Australian, December 2019
¹² https://www.smh.com.au/technology/government-to-evaluate-right-to-be-forgotten-but-privacy-reforms-still-years-away-20191212-p53je0.html
¹³ https://gdpr.eu/gdpr-vs-lgpd/
¹⁴ https://asia.nikkei.com/Business/Business-trends/India-s-tech-industry-up-in-arms-over-proposed-data-privacy-law
¹⁵ Yahoo Finance, Apple card privacy security. August 2019