5. The future of privacy starts in California
Axios' Jennifer Kingson and Kia Kokalitcheva write: A landmark privacy law in California, which kicks in Jan. 1, will give Golden State residents the right to find out what a company knows about them and get it deleted — and to stop the company from selling it.
Why it matters: It could effectively become a national privacy law, since companies that are racing to comply with it may give these privileges to non-Californians, too.
The California Consumer Privacy Act will apply to companies with at least $25 million in annual revenue, have personal information on at least 50,000 people, or earn at least half their money by selling consumers' personal information.
- Next year, any Californian will be able to demand that a company disclose what data it's keeping on them — and can tell them to knock it off.
- Starting next July, Californians will be allowed to sue businesses for certain data breaches, and the California attorney general will be able to bring enforcement actions.
Where it stands: Companies are racing to get their computer systems ready, spending as much as $100 million, according to a PricewaterhouseCoopers estimate quoted in the Wall Street Journal and confirmed by Axios.
Computer architecture is the big sticking point. Consumer information can reside in lots of databases, and the same consumer can be listed under different names, addresses or nicknames.
- "Large companies are struggling with this because they have vast amounts of data, and small companies are struggling with this because they don't have those resources," Peter McLaughlin, a privacy law attorney at Womble Bond Dickinson, told Axios.
Between the lines: While efforts to pass a federal privacy law have failed, companies think it's certain that something like the California law will hold sway nationally — and that other states will follow California's lead — so they're planning accordingly.
- Companies fully expect that people outside California will call them after Jan. 1 to demand that their data be deleted — or cease being sold — and many will comply.
- "The general consensus is that it's an inevitability — not an 'if' but a 'when,'" Kabir Barday, CEO of OneTrust, which helps company comply with privacy laws, told Axios.