Potential ballot initiative could bring GDPR-like privacy rules to California
It would apply to all businesses that use consumer data for commercial purposes and allow consumers to sue for damages.
A proposed California ballot initiative would give consumers the right to ask businesses what personal data are being collected about them and how it’s being used and allow them to opt out of further collection and usage. Called the California Consumer Privacy Act of 2018, it must still qualify for the November ballot.
It was first proposed in September 2017 and could become a major headache for companies that use or resell consumer data. There are parallels to GDPR, although the California law (if passed) puts the burden on consumers to request disclosures from companies and allows them to opt out. GDPR requires opt-in consent for the use of consumer data.
The measure is intended to give Californians more information and control over how their data are being used. It would apply to all businesses that use consumer data for commercial purposes, not just technology or internet companies.
Consumers who decided to opt out could not be punished or charged higher prices for services under the rule. And here’s the part that data-using companies especially won’t like: It allows public prosecutors and citizens to sue for data breaches or for the sale of personal data after someone has opted out. There’s no requirement that specific harm be proven before damages can be awarded.
If it qualifies for the ballot, expect it to be aggressively opposed as an attack on small business and the California economy; however, it’s really aimed at technology companies and the data ecosystem that most consumers don’t even know about, let alone understand.
If passed, it would certainly be challenged in court, but it also could have national implications, because most technology companies operate on a national scale and touch consumers in California in one way or another.