At the same time Congress is continuing to consider federal regulations of tech firms as industry observers assess Europe’s General Data Protection Rule (GDPR) that went into effect in the spring of last year. The California law goes into effect on January 1 and is well known for its comprehensive nature. It applies to businesses that have annual gross revenues exceeding $25 million, have personal information on more than 50,000 consumers or earns more than half of their revenue by selling personal information.
Unlike the GDPR, the California law doesn’t regulate data obtained from third parties, but it is still far reaching. It mandates that firms allow consumers to specify that their data isn’t sold. It also specifies that companies victimized by data thieves can be ordered in class action lawsuits to pay consumers between $100 and $750 per California resident, or actual damages, whichever is greater. Companies must also allow consumers to access their personal information and to order companies to delete the data. The Nevada law, however, lacks that provision.
Legislative calendars for states are complete for this year, but based on proposed laws, numerous states are considering their own data protection requirements, reports JD Supra. Massachusetts, New Jersey and Pennsylvania were unable to pass legislation this year, but are expected to revisit the matter in 2020. Other states including Connecticut, North Dakota and Texas established commissions to study privacy laws of other states.
On the Federal level, Silicon Valley Congresswomen Anna Eshoo and Zoe Lofgren have introduced HR 4987, the Online Privacy Act. Other members of Congress have also introduced privacy bills, but HR 4987 is noteworthy because it has been drafted by congresswomen who represent thousands of technology workers and wealthy entrepreneurs who benefit from monetizing their ventures, according to an editorial in the Mercury News.
The legislation calls for creating a federal agency that would enforce users’ privacy rights and make sure that companies comply with the law. It would also allow users to access their personal data, correct, delete, and transfer data. Consumers could also be notified when their personal data has been collected and it would require that individuals provide consent before their information is used for machine learning or artificial intelligence applications.
The legislation has won the approval of the Electronic Privacy Information Center (EPIC), which is considered to be one of the toughest privacy advocacy groups in the country. EPIC says it’s the best version of proposed legislation. In particular, the organization believes the legislation sets out strong rights for internet users while promoting innovation and establishing a data protection agency.
Industry observers are also watching regulatory actions resulting from GDPR. So far, a $228 million fine imposed on British Airways resulting from a scam in the fall of 2018 is one of the most significant actions, according to CPO Magazine. Users of British Airways’ website were re-directed to a fake site, which gathered data on 500,000 individuals. As a result, the Information Commissioner’s Office imposed a fine based on 1.5% of the airline’s 2017 worldwide revenue. Under the GDPR regulation, the fine could have been as high as 4%. CPO Magazine maintains that the action sent a shiver down the spines of corporate executives and attention is shifting to how big firms will fare.
The impact on big tech firms resulting from GDPR could ultimately play out in Ireland, reports Forbes. Due to Ireland’s low corporate tax rates, some of the biggest multinational tech shops such as Google, Apple, Facebook, Twitter and Microsoft have substantial operations within the country, which is known for having policies that are favorable for consumers.Last modified on Monday, 11 November 2019