Has California hit the privacy sweet spot?

Thanks to three new laws and a pending ballot initiative, California now leads the way in online tracking, kids' privacy, data security breach notification, and an opt-in data privacy regime. More bills are waiting in the wings in the legislature for next year. Is all this a good thing for the survey, opinion and marketing research profession?

The Golden State was an early leader in a variety of privacy areas, from its data security breach notification law to the California's Online Privacy Protection Act. California's newest laws, signed by Governor Jerry Brown (D) last month, cover divergent issues:

  1. Requiring transparency and disclosure about online behavioral tracking of consumers (including for strictly research purposes);
  2. Requiring online and mobile websites, applications and services to offer minors (and their parents) an "eraser button" for their information and content online, known as a "right to be forgotten;" and
  3. Adding usernames and email addresses, combined with passwords or security questions, to the personal information covered by California's data security breach notification law.

Each one presents its own challenges to the research profession, and reflect the ongoing interest of the legislature (as reflected in the launching of a Select Assembly Committee on Privacy). However, all three new laws pale by comparison in their impact to some other California privacy measures not yet set in stone, including:

The Right to Know Act was deferred until 2014, but it is likely to be considered seriously and could get approved in the new year. The fate of the other two measures is still unclear.

California Attorney General Kamala D. Harris (D) is also engaged in privacy and data security policy issues. Her office took charge in applying the California Online Privacy Protection Act to mobile apps and devices, offering guidance and recommendations as well as pursuing enforcement actions against violators. Such moves were felt during the White House's multistakeholder process for mobile apps privacy (which recently concluded in ambigious fashion). The AG's office has also been aggresively purusing data security violators and helpfully released recommendations and lessons learned from such data security cases to help other companies comply.

The view from the research profession
California often takes the lead on regulation, eventually forcing other states and the federal government to follow, but sometimes leading the federal government to take the Golden State to court or to pass contradictory new laws to preempt California's efforts. The former result, where Congress considers legislation that would make compliance simpler for some companies by making California law applicable everywhere, is not necessarily the most palatable conclusion for the survey, opinion and marketing research profession. We've seen this play out in data security legislation for over a decade, and in comprehensive data privacy legislation over the last few years, and plenty of provisions have appeared in both areas that would make it significantly more difficult to conduct research in the United States.

Even if the federal impact takes a while to be felt, other states can copy California. Most of the state data security breach notification laws copied directly from California. As the California Governor signed the minors privacy bill into law, a similar bill was introduced in the Illinois legislature.

The Marketing Research Association (MRA) will continue to advocate for the interests of the research profession, both in California and in our home of Washington, DC. Stay tuned for more action.

This information is not intended and should not be construed as or substituted for legal advice. It is provided for informational purposes only. It is advisable to consult with private counsel on the precise scope and interpretation of any laws/regulation/legislation and their impact on your particular business.