California Gov. Jerry Brown signed the Consumer Privacy Act on Thursday, giving residents of the state significantly more control over how their data is collected, used and handled.
Although the law will not go into effect until January 2020, it will without question have massive implications for every brand, agency and tech company both here and abroad.
Here's the TL;DR
In short, California just passed its own digital privacy law, allowing consumers to know what information companies are collecting about them, why they are collecting that data and who they are sharing it with. It also arms residents of the Golden State with the ability to tell tech behemoths such as Google and Facebook to delete their data, not to share their data or not to sell it. People can also opt out from a company's terms of service without losing access to its offerings. And companies are barred from selling data on anyone under the age of 16 without explicit consent.
The new law will moreover hold brands accountable for any data breaches, allowing consumers to sue them up to $750 for each violation.
The California attorney general can sue for $7,500 for each intentional violation of privacy.
Translation: Companies such as Target, Adidas, FitBit, Home Depot, Chili's, Equifax, Facebook, among the many, many other companies that have experienced data breaches, will now be held significantly more accountable for failing to protect consumer data.
"Consumers' personal information is clearly endangered and consumers are fed up with impacts that could last a lifetime," says Chris Olson, CEO of The Media Trust, a company that provides publishers and brands tools for digital governance. "Thus far, 48 states in all have enacted privacy laws requiring notification of security breaches involving personal information. Echoing global initiatives, especially the E.U.'s GDPR, the trend to more closely govern personal data will continue."
What about all those tech companies?
Companies such as Google, Facebook, Amazon, Microsoft, as well as trade bodies such as the Data Marketing Association and Interactive Advertising Bureau all threw large swaths of money to thwart the bill from being signed into law through the "Committee to Protect California Jobs."
Expect them to vigorously fight for concessions that would weaken the bill leading up to 2020, says Jason Kint, CEO of Digital Content Next.
"The duopoly will fight like mad to amend this thing into their interests," Kint says. "Facebook will take a back seat to Google because Facebook is so toxic to any privacy discussion right now. And like we're seeing with GDPR, enforcement including antitrust scrutiny of the duopoly matters, otherwise Google determines the rules and wins the game."
"Fasten your seat belts," Kint adds.
The biggest question is whether tech companies will tailor their data practices for California residents only or extend those new practices to cover the entire country. Other states may adopt similar measures, and observing more than one regulatory regime is burdensome in any case. Then again, they may not wind up with a choice.
"The risk here is rather than have a single federal law, or, a self-regulatory regime that's aligned with consumer expectations, the ad industry will end up with a patchwork of state laws on top of GDPR," Kint says. "That becomes a cost to everyone."
Michael Connolly, CEO of ad tech company Sonobi, says multiple versions of privacy legislation at the state level would result in significant challenges—both for tech companies trying to comply and for legislators looking to enforce the law.
Even if California becomes the only state with such protections around data, hurdles will still exist.
"We can target a user down to a zip code so understanding that a person is in California should not be a challenge," Connolly says. "To provide information to a specific user in the same vein as GDPR is technically feasible. I am not sure how pragmatic it would be to enforce these laws given the tech companies would not know if a person was a resident of California or simply passing through."
Marc Benioff, CEO of Salesforce, has written that it's "time for a national privacy law."
~ ~ ~
CORRECTION: An earlier version of this article said Salesforce CEO Marc Benioff had called California's new data privacy law insufficient. He did not say the law needed to be stronger, only that he supports a national standard.