California may lead the way on GDPR-like regulations in the USReprints
The influence of the European Union’s General Data Protection Regulation, which took effect May 25, is likely to be felt in the United States as well, particularly if a proposition that appears headed for the California ballot is successful, experts say.
The proposed California Consumer Privacy Act reflects some of the GDPR’s provisions, and is likely to be followed by other states, if it is approved, they say.
The California proposition “brings GDPR to the U.S.,” said Gamelah Palagonia, senior vice president and cyber risk specialist with Willis Towers Watson in New York.
Supporters of the measure say they have submitted 625,000, which are enough to qualify.
Although it differs, “it’s pretty much mirroring the major elements of GDPR, which basically gives individuals the right to know what businesses are doing with the information they collect, how it’s secured, and gives them the right to object to the sale of that information,” said Ms. Palagonia.
“It does sound a lot like the GDPR,” said Max Perkins, London-based senior vice president, global cyber and technology, global professional and financial risks with Lockton Cos L.L.P.
“The most striking thing about the proposition is, they are giving serious rights to private action for consumers where there’s been a violation,” he said.
“We’re going to be talking about some really serious damages going forward, and also some really serious litigation costs,” which have not been serious to date, he said.
“That’s actually the biggest area of concern coming out of” the proposition, said Annmarie Giblin, New York-based senior counselor, cyber liability, for Chubb Ltd.
One key difference between the proposed California regulation and the GDPR is that, under the latter, companies can be fined up to 4% of annual revenues, or $23.9 million, for the more serious breaches.
A provision in the California proposition states violators may be liable for a civil penalty of up to $7,500 for each violation. A spokesman for the group that is behind the proposition could not be reached for comment.
Annie O’Leary, Chicago-based senior broker with Aon P.L.C.’s professional risk solutions group, said the California proposition “is not as far-reaching as the GDPR, but there are some elements of it in terms of consumers having better control of and access to their data” that are common to both.
Matthew McCabe, New York-based senior vice president with Marsh L.L.C.’s cyber practice, said “at the end of the day, the most relevant point is, we’re getting to more comprehensive data privacy regimes that are being mandated globally.”
Experts note California led the nation with the first data breach legislation in 2002, and many expect that should it pass, the proposition would be similarly influential.
“One way or the other, the other states will follow suit,” said Scott L. Vernick, a partner with Fox Rothschild L.L.P. in Philadelphia, whose areas of focus include privacy and data security.
However, Joshua Gold, a shareholder and cyber insurance recovery attorney with policyholder law firm Anderson Kill P.C. in New York said: “Other states will follow California’s lead, but not a majority of states, and I think given our own systems (in the U.S.), you would have a real push by business to lobby against too much regulation in this space, given just how valuable big data has gotten.”
“I would expect things to change gradually over time, but I don’t think we’ll see anything in terms of the scope of the GDPR in the near future,” he said. “I think gradually we’ll get to greater protection,” but there will not be an immediate “sea change.”
He added, “I do think there is a greater sense of privacy rights that exists in Europe that simply does not exist in the United States.”
In addition, he said, “We also have another big driver of keeping regulation limited” in California, Massachusetts and some other regions of the country, “where data-driven businesses are major heavyweights in the economic world.” There is an “uneasy co-existence between those business models and individual privacy rights” with regard to regulation, Mr. Gold said.
Meanwhile, to the extent firms do business in California, they would “be subject to the proposition, said Scott N. Godes, a partner at Barnes & Thornburg L.L.P. in Washington and co-chair of the firm’s cyber risk and data privacy group. The California standard will set a new baseline, he said.
While large companies that do business in Europe are already complying with the GDPR, passage of the California proposition would mean additional costs for smaller firms that do not operate internationally, said Mr. McCabe.
“You are undoubtedly putting in a scheme of compliance that is going to drain resources” for these businesses, he said, and there is still the unanswered question as to whether these provisions will protect data “any better than what we had before.”
Ms. Giblin said smaller and midsize businesses’ adaptation to the changing regulatory environment around the issues of privacy and cyber security could be more difficult for them than it would be for larger firms.
Most experts say they do not anticipate there will be federal legislation on the issue, at least in the immediate future.
“I expect that you will see (legislation or regulation) more readily at the state level than at the federal level,” which is more subject to gridlock, said Mr. Vernick.
However, Ms. O’Leary said, “I would imagine were going to see a lot more activity at the federal level.”
Larry Clinton, president and CEO of the Arlington, Virginia-based Internet Security Alliance, said he hopes regulators in the United States will continue to follow what he views as the more effective partnership mode, with industry and the government working together on the issue of privacy, rather than following the GDPR’s “punitive” model.
That would be more appropriate than the GDPR’s “draconian” penalties, which could ruin major companies, he said.