This past May, the General Data Protection Regulation (GDPR) went into effect. This regulation requires businesses to obtain affirmative consent from a data subject to use their personal data. It also requires a business to provide a user the ability to revoke consent, and this action must be tracked and logged and easily presented.
Following the GDPR, in 2020 California will instate a new data privacy law, the California Consumer Privacy Act, A.B. 375. Following in the same vein as the GDPR, this law grants Californians more power over how their personal information is used online. It states that residents must be informed about the type of data that is obtained and why their data is being collected—where will it be used? Will it be sold, and if so, to what companies and for what purpose?
Additionally, like how the GDPR gives users the power to revoke consent and use of their data, the California Consumer Privacy Act states that a user has the ability to "delete personal information, opt-out of the sale of personal information, and access personal information in a 'readily useable format' that enables its transfer to third parties without hindrance.” (Harvard Business Review)
So what kind of data are we talking about? Here are the types of personal identifiable information (PII) the Act includes (from Harvard Business Review):
Where the new law gets a little sticky for businesses is with digital advertising. Businesses must provide California residents the ability to delete their data or transfer it over to other businesses, which poses a threat to those businesses who profit from digital and web advertising. Harvard Business Review points out that this also threatens the accuracy and reach of types of audiences advertisers provide their consumers on their social and web platforms, as well as companies like Acxiom, Epsilon, Experian, and Oracle who collect individual data and sell to third parties.
Not only will California residents be given power over how and when their data is used, residents will have the legal right to request where their data was sourced from, where and what it’s being used for by a specific company or organization, if their data is being disclosed outside the company that obtained it, if that company is selling their data, and where it’s being sold to. So, in theory, if a resident doesn’t want their data on Facebook, for example, to be used towards an audience Facebook uses to appeal to advertisers, they can revoke consent and delete their data. If this starts happening on a larger scale, many advertising platforms’ accuracy in marketing to specific audiences will be jeopardized.
The Act also protects those users who choose to remove the use of their data to advertisers. Per Proskauer, a business can’t discriminate against these users. What this means is that “businesses cannot deny goods or services, charge different prices for goods or services, or provide a different quality of goods or services to those consumers who exercise their privacy rights.” There is a slight loophole that could be in the favor of advertisers, though, Proskauer points out: “The Act does permit businesses to charge a different price, or provide a different level of service, to a customer ‘if that difference is reasonably related to the value provided to the consumer by the consumer’s data.’”
Stay on top of data privacy laws and the industries they will affect in our GDPR hub. We’ll be continuing to provide updates on how the GDPR and California Privacy Act will influence future regulations, further putting the power of personal data back to the original data subject.