Home Privacy How The California Consumer Privacy Act Stacks Up Against GDPR

How The California Consumer Privacy Act Stacks Up Against GDPR

SHARE:

While both the California Consumer Privacy Act and Europe’s General Data Protection Regulation address the collection of personal information by businesses, they are actually quite different.

Here’s where they diverge and why the advertising trade orgs are lobbying like bandits to block the California act’s passage. The IAB, DMA, ANA, 4As and NAI decried the proposed legislation Thursday in a joint webinar.

(The proposal has more than enough signatures to get on the ballot, although the final decision won’t be made until June 25. If it does make it on, which is highly likely, the initiative could be voted into law during the general election in November.)

CA vs. EU

First off: legitimate interest. There’s no such concept in the California action.

The ePrivacy wild card aside, GDPR allows for legitimate interest as a legal basis to process data for direct marketing. Ad tech companies and other third parties are hitching their star to legitimate interest as a way to continue collecting data or analytics tracking without having to get consent.

Second: the definition of personal information. Beyond all the usual stuff – email address, Social Security number, driver’s license number – the proposal considers browsing, search history and app interaction data to be personal, as well as any inferences drawn from the data collected.

“The practical application of this definition contains virtually every data point we can think of,” said Dan Jaffe, group EVP of government relations at the Association of National Advertisers.

Third: consent. Under GDPR, consent is the gold-standard legal basis for data processing, and companies need to obtain it proactively. The California law would stick with the status quo in terms of an opt-out regime – consumers would need to actively request that their data not be collected – but it also proposes more stringent restrictions on data collection and use.

For example, businesses would not be able to deny service or change service in any way if a consumer opts out and could only ask consumers to reconsider their opt-out preference once a year.

Next up: fines. They’re steep. Infractions such as the failure to disclose on request all of the categories of information collected and the failure to disclose all the third parties with whom personal info was shared both would result in a minimum $1,000 fine per person per violation.

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

“That could quickly add up to millions or billions of dollars for companies doing business in California,” said Alison Pepper, SVP of government relations at the 4As.

Which leads to enforcement. Beyond official enforcement by the attorney general or a district attorney, the California act includes the private right of action, which means consumers can sue companies directly for alleged violations.

“There’s the possibility of dual action for the same enforcement: the attorney general going after you for a public action and [trial] attorneys going after you for a private action,” Pepper said.

No harm, all foul

The advertising trade orgs are particularly miffed by a section of the California initiative that would allow private consumers to seek redress for “injury in fact,” meaning they wouldn’t have to prove harm, economic or otherwise, before bringing a suit, which could open the door to class-action lawsuits, Jaffe said.

In other words, any violation would automatically be considered harm.

“The mere fact of somebody’s IP address being released or their browser information when they went to go find the weather or look up a sports score – if that kind of information leaked, [consumers] would be able to sue,” he said, “and that could mount up to millions of pieces of information very easily.”

This is contrary to how the Federal Trade Commission approaches enforcement, which requires the consumer to prove harm before it takes any action.

“The kicker of this is that it flies in the face and vitiates every notion we had about harm,” said Brad Weltman, VP of public policy at the Interactive Advertising Bureau.

Beyond borders

The California Consumer Privacy Act is almost guaranteed a spot on the ballot.

Alastair Mactaggart, the wealthy former real-estate-developer-cum-privacy-champion who’s already spent nearly $3 million of his own money to advance the cause, has submitted more than 670,000 signatures to the California secretary of state, although the initiative doesn’t need even half as many to make it onto the ballot. Even if a large portion of the signatures are invalidated, it’s nearly assured that there’ll be enough to pass it through.

If the initiative does become law, its effect on US businesses will extend beyond California, which has a population of almost 40 million. “It’s kind of hard to do business in this country and completely ignore California,” Pepper said.

Companies would be subject to the law if they do any business in California and either have gross revenue of $50 million or more, sell or share information on 100,000 California residents or devices and/or get 50% or more of their annual revenue from selling personal info.

“California then becomes the baseline for every other state,” said Chris Oswald, VP of advocacy at the ANA-owned Data & Marketing Association. “Other citizens living in other states are going to be bound by California, which is crazy.”

Must Read

Comic: Gamechanger (Google lost the DOJ's search antitrust case)

DOJ v. Google: How Judge Brinkema Seems To Be Thinking After Week One

Where the DOJ v. Google ad tech antitrust trial stands after one week’s worth of remedies arguments.

Swish, A Company That's Bringing Programmatic to Product Sampling, Announces Seed Funding

Swish, a startup that partners with retailers to provide product full-size CPG samples to people doing their grocery shopping online, announces $2.3 million in seed funding.

DOJ v. Google: During Opening Arguments, The DOJ And Google Battle Over An AdX Divestiture

Court is back in session. And the fate of  the open internet is in the balance.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters
Chris Mufarrige, director, Bureau of Consumer Protection, FTC

FTC Consumer Protection Chief: No Easy Answers On Privacy, ‘Only Trade-Offs’

Privacy isn’t black-and-white, says the FTC’s Chris Mufarrige, promising evidence-driven consumer protection cases under the Trump administration.

How Encryption Keys Could Resolve The TID Furor

Rather than sharing universal TIDs that any DSP or curator can access, Raptive says publishers should instead share encrypted TIDs with an encryption key provided only to trusted demand-side partners.

Clear Channel Brings Mid-Flight Measurement To Its OOH Network

Clear Channel will provide advertisers weekly, mid-flight reports on outcomes driven by its inventory in order to bring OOH measurement closer to the speed of digital.