The new California Consumer Privacy Act of 2018 applies to for-profit entrepreneurs and companies doing business in the State of California that, alone or jointly with others, collect personal information on California residents and that meet one or more of the following criteria:
More privacy. It seems like a good thing—something like money or apple pie, where more is better.
At least that’s what the folks down the hill in Sacramento seem to think. A couple of weeks ago the California legislators passed a new privacy law, all 16 pages of it, unanimously, with barely a fist full of absentees and no “Nays.” The catalyst for the law was a ballot initiative on privacy scheduled for November which had been financed by a wealthy real estate investor. The new law strikes a bargain with the investor as it takes effect on January 1, 2020 the condition that he withdraws his initiative.
At the moment there’s plenty not to like in the new law. Its unintended consequences will hurt small and medium-sized businesses and limit effective civil and political discourse to a small number of on-line platforms.
Like the recently implemented European General Data Protection Regulation (the “GDPR”) the California law covers all personal information, regardless of whether such information is collected, sold or transferred over the internet, by video, manually, or some other fashion. Although the law applies to only certain for-profit entrepreneurs and companies, it will, none-the-less, sharply curtail the collection, sale or transfer of personal information about California residents. Indeed, ...
Angst over the use of data on individuals in the United States for marketing and political purposes has led many to suggest that the European Union’s new General Data Protection Regulation provides a regulatory model that the US should emulate.
Any discussion of this issue must be grounded in a substantive understanding of the GDPR’s requirements which are much more extensive than most commentators have described. I don’t believe that anyone is attempting to gloss over the scope of the regulation - rather, the damn thing is 88 pages long, far too much for most of us to assimilate in one sitting. Just because I was curious, I did a comparison of word counts and the regulation (I’ll start referring to it as the GDPR) is 7 times longer than the US Constitution.
So the purpose of this post and the next is to provide the detail necessary to understand it. And the thing is - IT’S NOT JUST ABOUT CONSENT.