California’s law provides a broad umbrella for what constitutes personal information, going beyond the typical name and driver’s license number to include information such as internet browser history, geolocation data and audio.
“All those kinds of information can be associated with a person and contain intensely private information,” said Jacob Snow, an attorney for the American Civil Liberties Union of Northern California who focuses on technology.
One of the most significant aspects of the California law is a clause that gives the state’s consumers the right to sue over a data breach that meets certain criteria. If they are successful, companies who expose consumer data could be forced to pay between $100 and $750 per Californian affected by a breach and any other fees the court deems appropriate.
California’s approach is starkly different from Florida’s. Like most states, Florida has few laws regulating data privacy. None allow consumers to fully understand where their data lives and to take it back as California’s does, though the Sunshine State does have a law requiring businesses to notify consumers after a data breach of a certain size.
“Outside of that, there isn’t anything that really requires (companies) to take reasonable measures to protect personally identifiable information,” said Sri Sridharan, director of Cyber Florida, the cybersecurity center housed at the University of South Florida.
A bill proposed recently by Sen. Doug Broxson, R-Gulf Breeze, would get Florida slightly closer to California’s law by requiring websites to tell Florida consumers what personal information it collects and let them opt out of the sale of their data.
According to Clabby, many Florida businesses may not even realize they could be subject to California’s law.
“There were companies who 12 months ago were aware of this and steadily worked toward compliance,” he said. But, “there are companies who found out about it only recently and will have to do some hustling to get themselves where they need to be.”
The regulation is widely considered to be the first in what will likely be a tide of similar state laws and potential federal legislation. That means companies will need to figure out how to comply with multiple laws and still do business effectively.
“You could end up with a federal floor and then still have different states that set different levels of privacy protections for consumers, even if those privacy levels conflict,” Clabby said. “It’s not what the regulation is, it’s having certainty so companies can plan their business activities.”
Some companies are expected to take a segmented approach for now, where they would have one division for California and one for the rest of the country, as many do to comply with Europe’s significantly more stringent data privacy laws.
Others, such as Microsoft, are complying with California’s law and offering the same protections to customers around the country.