California’s New Data Privacy Law Could Begin a Regulatory Disaster

They were right. And, as a result, we may be on the brink of a convoluted regulatory disaster.

In June, California became the first U.S. state to pass its own data privacy law, the California Consumer Privacy Act. When it goes into effect on Jan. 1, 2020, the act will provide the state’s 40 million residents with rights similar to those granted to European citizens through the GDPR.

The hastily approved act gives all California residents the right to see what personal information is being collected by businesses and to request that this data be deleted. They will also be able to discover whether organizations are selling their information to third parties, such as advertisers, and to request those organizations stop doing so. It will be the most comprehensive data privacy law in the country.

That said, while the GDPR was criticized for being too ambiguous, it looks downright hyper-specific in comparison to the California law. For example, thanks to some loose categorization of businesses to which the act applies, it has the potential to include not just organizations that sell individuals’ data for financial gain, but also websites that collect IP addresses from millions of unique visitors per day.

In 2017 alone, over 1.9 billion files were leaked through security breaches. After the California Consumer Privacy Act comes into force, organizations mishandling data could be fined up to $7,500 for each violation. The financial impact to businesses could be enormous—and that doesn’t even take into account the soft costs associated with loss of customer and employee confidence and damage to brand reputation.

Data privacy regulation in America is about to become seriously confusing. Since the GDPR came into effect, only some states have expanded their data protection regulations to include breach notification requirements. And state laws governing data breaches vary significantly: Texas imposes civil fines of up to $50,000 per violation, while Georgia imposes no penalty at all.

It’s likely that other states will soon pass their own data privacy legislation. Just over half the public (51%) thinks technology companies should be regulated more than they are now, according to a June 2018 report from the Pew Research Center. As security breaches and privacy concerns continue to make headlines, public awareness of and demand for stronger data protection practices are likely to increase.

If each state takes on a local approach to data privacy, America will become a patchwork quilt of regulation, making it an extremely challenging place to do business.

Imagine having to ensure that datasets with personal information on millions of people comply not just with the GDPR, but also with 50 different and sometimes contradictory policies? As people move from one state to another, presumably the rules regulating their data would also change. How can organizations possibly keep track?

This is the stuff CIO nightmares are made of.

What we need is common set of rules for everyone, ideally similar to the GDPR’s, which U.S. organizations doing business in the EU are already following. This would minimize the regulatory burden while also providing U.S. citizens with substantial control over their personal information.

A discussion draft of a new proposed House law, the Data Acquisition and Technology Accountability and Security Act, would create federal standards for breach notification that would preempt state laws. However, the bill is too focused on notifying customers of data theft, failing to provide them with the more comprehensive rights they need to adequately control their personal data. It will need to be strengthened significantly to meet the privacy demands of U.S. citizens.

In any case, Washington needs to act soon. Otherwise, the U.S. may end up with a regulatory scheme that makes GDPR compliance look like a walk in the park.

Danny Allan is the vice president of product strategy at Veeam.