California paving the way for better privacy in the US

California Privacy laws
© iStock/andriano_cz

Government Europa welcomes guest contributor, Adam Dubois, to discuss how new consumer privacy laws introduced in California could influence legislation across the US.

Ever since the introduction of GDPR in the EU in 2017, many experts have been predicting that the United States would follow suit. Nevertheless, there is still no federal legislation that comes anywhere close to achieving what GDPR has for the EU. This has left many disappointed, as GDPR has generally been considered a victory for EU citizens.

In lieu of any federal regulations, the best that US citizens can hope for right now is that the states will take up the fight instead. A new law introduced in California, the California Consumer Privacy Act, could pave the way for a raft of similar legislation from other States.


The CCPA goes far further than any previous state legislation has in the United States with regards to data privacy. The CCPA empowers Californian citizens to take control of their data and to hold businesses who collect it and store it accountable. Some experts predict something of a domino effect following the introduction of the California Consumer Privacy Act. There is now a widespread expectation that this legislation will open the floodgates and we will soon see other states, primarily Nevada and New York, following suit.

Not only will Californians be opted-out of any data collection or selling, but they will also have the legal power to formally ask businesses exactly why they feel it necessary to collect specific pieces of data. Crucially, businesses will also be forbidden from discriminating against any customers who decide not to opt-in to their data collection programs. There are also fines set for ‘actual damages’, which means that some businesses might suffer huge losses for unlawful use of Californian data.

The Three Pillars

There are three fundamental rights that the CCPA grants to Californian citizens. These are the right to know, the right to delete, and the right to opt-out. Californian citizens will be the first in the country to have these fundamental legal rights regarding their personal data.

The right to know is pretty self-explanatory. It simply means that Californians have the right to know why a business is collecting their data, what they will use it for, and who they will sell it to.

The right to delete mirrors the right to be forgotten that has existed in EU law for some time now. As you might have guessed, this right guarantees Californians that they can formally request a business delete any data that it holds on them.

Finally, the right to opt-out ensures that consumers always have a legal right to withdraw their participation in any data collection program. Any customers aged 16 or under must opt-in before their data can be collected. Meanwhile, those aged 13 or under must opt-in with the consent of a parent or guardian.

Domino Effect?

There are several reasons to suspect that this law will be the first of many introduced at the state level across the United States. For one thing, many American consumers have been jealous of EU citizens and the protections they enjoy under GDPR. Since GDPR came into force, there have been whispers of a similar law being implemented at the federal level in the US.

However, such legislation does not appear to be high on the legislative agenda in Washington, even after the 2016 election. It may well be that as more states adopt similar laws to California, a standard naturally emerges. If there is legislative harmony amongst the states, that would imply that there is consensus on what such a federal data protection law would look like should one be written.

Many US businesses have already had to shoulder the costs of bringing themselves into compliance with GDPR. This could be a blessing in disguise and could mean that they don’t need to do much in order to bring themselves into compliance with the CCPA.

The only real opposition to the new law has come from businesses that claim the new law places an undue financial burden on them. According to a study released by the California department of finance, businesses of 20 employees or less should not have to spend more than $50,000 to bring themselves into full compliance. Larger businesses, those that employ 500 people or more, may be looking at costs that run into the millions. However, some of these costs will be offset by previous work that’s been done in order to ensure GDPR compliance.

While this law will only apply to California, any business wanting to do business in California must also be compliant. Given what a big domestic market California is, we may well see many national businesses changing their practices in anticipation of wider legislative change. The general feeling among most businesses seems to be that it is better to get ahead of data protection legislation, rather than trying to play catch up later.

With this new law, California is setting a standard for the rest of the nation to meet. Hopefully, this act will be the first of many introduced across the United States.

You can read more about data protection with proxies:



Please enter your comment!
Please enter your name here