In a conversation with a lawyer a few months ago, the comment was made that the US has already implemented GDPR. This is not necessarily true. The US has created some privacy regulations, but just small bits of it in each state; collectively similar to GDPR, but no one jurisdiction is anything like GDPR. However, a new regulation out of California could have just started the snowball rolling down the hill…The California Consumer Privacy Act will go into effect January of 2020. This regulation is similar in spirit and many details to GDPR. What is fascinating is how the bill was enacted. This article explains how California politics works, and points out that the rapid adoption of the legislation is actually an attempt to create a more flexible environment for companies to negotiate the various compromises that I am sure will come. It is also worth noting that for those companies that are well on the way towards GDPR compliance, they will essentially already be compliant with the California law. I do not see this being the last state to create or update their privacy laws. This was a trend that was already underway. However, California is a big state, and home to many tech companies.
According to the regulation, any company that holds data on more than 50,000 people is subject to the law, and each violation carries a $7,500 fine. This will create some major shockwaves at companies like Google, Uber and Facebook, whose business models rely on leveraging customer data.
Plus, California’s new law will surely have an influence on how other states address the privacy issue. We expect more states to follow suit and release their own versions of GDPR. Consumer privacy is certainly not going away.