GDPR and California Privacy Act: What You Need to Know

January 24, 2020



BY Konstantine Zuckerman

As of January 2020, the state of California began enforcing extensive legislation relating to consumer data privacy. Any company involved in the use of private and personal data needs to take note and see how this new law can impact their business practices.

With scandals all over the news of Facebook using psychometric data to influence people’s emotions, Congress passing laws allowing companies to sell your user data for profit, and targeted online campaigns rousing the flames of political polarization, it is important for companies to understand how they will be impacted by this new regulation.

Under the new law, California residents have a whole array of new protections, including the right to know the type of data being collected and the reason for collection. On top of that, customers have the right to request the removal of personal data, to opt out of their information being sold, and to access their information in a “readily useable format.”

The new law is groundbreaking with ambitious improvements on the standards of consumer data protection and its expansion on the types of data that are protected. Protected data include personal identifying information, biometric data, psychometric data, and even inferences made by companies on the basis of this information.

This will have a tremendous impact on digital marketing strategies—particularly the use of targeted ads to promote products and services. Allowing California residents to withhold their data from these stores will require advertisers to be more imaginative in finding alternative sales strategies. And this will be the case especially if other states follow California’s lead.

The most far-reaching aspect of this legislation, however, comes from how companies will choose to respond to it. There are two main options which exist:

  1. A total reworking of their current digital marketing strategy and data collection methods to comply generally with California law or
  2. A patchwork system meant to apply to only their California customers.

This second option is far more expensive than the first and could result in consumer backlash with non-California residents feeling resentment over different standards for their own protections and rights. The law is set to come into effect in 2020 forcing companies to act fast in reorganizing their marketing strategies in this new regulatory landscape.

The safety of Americans’ data in the hands of giant corporations became a much more pressing issue in light of Mark Zuckerberg’s testimony before Congress in April of 2018, highlighting Facebook’s response to the General Data Protection Regulation passed in the European Union.

The General Data Protection Regulation (GDPR) was adopted in the European Union in April of 2016 in an effort to update older data protection regulations from 1995. The new regulation standardizes practices among European countries and sets the bar high to ensure maximum consumer protection—requiring a large investment from companies in current infrastructure and strategy in order to comply with the new regulations.

The law has a far greater range of protection than the California Privacy Act, protecting health and biometric data, racial and ethnic information, political opinions, and data on sexual orientation as well as standard private and personal data. Companies operating within Europe (or processing European data) and employing more than 250 people are required to comply as of May 25, 2018.

The cost is clear from Zuckerberg’s testimony before Congress. After first stating that they plan to apply these new European regulations across the board and then later obfuscating what they intended to do with consumer data outside the EU, Zuckerberg faced severe criticism in the media.

As widespread support for greater privacy protections intensifies, it is crucial to have a clear and concise blueprint for responding to breaches appropriately. This includes notifying customers of breaches as soon as possible and laying out explicitly the plan to fix and prevent them in the future.

And as the landscape of regulation changes rapidly, companies must remain vigilant to avoid facing penalties and—even worse—violating public trust with their data.



Related Content

Keep An Ear Out For Voice Phishing

Voice phishing, also called Vishing, is an old hacking tactic, probably older than computer hacking itself. But the practice is still very common today.


stay informed!

Subscribe to receive exclusive content and notifications