When the EU implemented the General Data Protection Regulation (GDPR), it did so not only with the narrow objective to provide European citizens with strengthened rights in the digital economy. Its more strategic objective was to use the EU's economic presence to impose data protection and processing standards worldwide, by creating pressure for other regions to adopt similar policy. The way the regulation is designed, if non-EU countries wish to transfer data freely with the EU and conduct business with minimal friction, they are highly incentivized to implement their own data protection policies that closely mirror the structure of GDPR. Countries are beginning to follow suit.
The US, however, has been resistant to address personal data protection standards at the national level. Relative economic strength, frequent political gridlock, and the lobbying power of US-based technology firms have maintained the status quo despite EU pressure. Instead, data protection policy is beginning to take shape at the state level. California, as the largest state economy in the US, recently passed the California Consumer Privacy Act, set to take effect on January 1, 2020. Applying to all organizations that conduct digital business with Californians, the regulation will have a wide reach not unlike GDPR, effectively incentivizing the broad adoption of similar data protection standards nationwide.
As of 2018, if California were a nation, it would be the fifth largest economy in the world, edging out the UK with a gross domestic product surpassing $2.7tn. It has the largest population of any state in the US, with 39.5 million residents, more than 12% of the US population. Much of the nation's high-tech industry is based in California, with many prominent firms relying on data monetization as a business model, and nearly any midsize or large organization in the US that conducts business via digital channels is likely to have customers or prospects that are California residents. A data protection regulation that imposes rules for the use of California residents' data therefore has not just national, but global, reach – affecting all organizations that interact with Californians.
The California Consumer Privacy Act (CCPA) was signed into law by the governor in late June 2018 and is set to go into effect on January 1, 2020. It applies to businesses worldwide if they, or an entity they control or that controls them, receive personal information from California residents. It borrows many key concepts from GDPR, such as the right to data access, the right to data portability, the right to data erasure, and the right to opt out of sale of information to third parties. Some variances exist, and the structure of and reporting process for sanctions are different, but its practical objective is the same: to expand the rights of residents relating to their control over personal information. Much like GDPR, its more strategic objective is to use economic and population heft to advance data protection standards beyond its borders.
In the absence of robust national data protection regulation, CCPA could provide a de facto national standard for data protection given its applicability to any organization that does business with this sizable percentage of the US population. Once businesses in other states must comply with CCPA for their California customers and prospects, there is incentive to create similar data protection policy to facilitate data transfers and digital commerce. This isn't just due to population pressure, though. It also has to do with the complexity of IT architecture and enterprise data management. In a world with perfectly managed data and IT infrastructure, it would be simple for the enterprise to identify and segregate the data of California residents, applying appropriate policies that comply with the regulation while managing the data of nonresidents with less restrictive policies. In the real world, this is typically not the case. IT infrastructure is siloed and distributed, making it difficult to enforce granular policies for different groups of data. US citizens can move freely between states, changing residency and the protection status of their data at any time. From an IT perspective, it is easier to adopt a single standard for data protection and apply it consistently, rather than trying to manage separate policies for separate groups of customers and prospects. From a policy perspective, it is most logical to model this standard based on the strictest regulations faced by the organization. In the US, CCPA is poised to be the highest standard of data protection in the nation.
As organizations begin to modify their workflows, data processing, and data management practices to comply with the rights of California residents, they will likely find that it is easiest to consistently apply these protections to the data of all US customers and prospects, regardless of state residency. Changing enterprise data practices and the pressure to do business with Californians will bring data protection policy to the forefront of other state legislatures, potentially triggering a chain reaction of state-specific data protection regulations. With enough states imposing slightly different data protection requirements, the enterprise is pressured to comply with the strictest as their standard, rather than trying to implement 50 different sets of policies for residents of each state. With California imposing the strictest requirements, this could become a de facto national standard for data protection in the absence of formal national policy.
2018 Trends to Watch: Data Governance, IT0014-003349 (October 2017)
"Process versus technology: Which GDPR solution approach is best?" INT002-000070 (February 2018)
"GDPR compliance will require an integrated, multi-solution approach," INT002-000035 (December 2017)
Paige Bartley, Senior Analyst, Data and Enterprise Intelligence