A GDPR-style privacy law in California is serving as a blueprint for other states, suggests a report today.
Following the example of the California Consumer Privacy Act (CCPA), which takes effect on January 1, two further states have passed privacy laws and almost 20 more are considering it…
Starting on Jan. 1, 2020, California is offering residents privacy rights that are the first of their kind in the nation. But with nearly 20 states considering privacy legislation, it won’t be long before regulations spread across the country.
Nevada and Maine have already passed privacy laws, and at least 11 more states considered privacy bills. While they didn’t pass in 2019, advocates have plans to submit more legislation in the coming year. In addition, five other states have tabled new privacy rules and instead created task forces that will study how to regulate data privacy.
As is often the case, California has set the agenda for state houses across the nation. With nearly 40 million residents, California and its frequently progressive legislature has been at the forefront of laws covering everything from plastic bag bans to animal welfare laws in recent years. Now, privacy is on the agenda.
CCPA is in turn modeled on Europe’s GDPR (General Data Protection Regulation), the gold standard for privacy laws so strict that even Apple had to beef up its protections to comply.
The California Consumer Privacy Act, known by the initials CCPA, starts by giving residents the right to learn what data companies have collected about them, to ask companies not sell that data and to request the data be deleted. The data can come from any source, including the internet, databases and paper forms.
The law defines personal information broadly, so everything from your browsing history to personal characteristics such as race and marital status are covered. The definition also includes biometric and location information.
Other states are opting for less strict versions, however.
Nevada’s new law, which went into effect in October, applies only to data collected from consumers through the internet. Maine’s law, which passed in June, applies only to internet service providers.
And even California didn’t adopt all GDPR standards.
California’s law, however, leaves out a few major components of the GDPR, such as requiring companies to have a valid reason for processing data and minimizing the amount of data they collect.
The craziness of companies having to potentially comply with 50 different privacy laws means there is growing pressure to enact a single federal GDPR-style privacy law which will override state ones. Many of us have pointed out that the sensible course of action in a global market would simply be to replicate GDPR in the US and other countries so that there is one single standard to meet worldwide.
FTC: We use income earning auto affiliate links. More.