California Governor Jerry Brown Thursday signed off on one of the strictest privacy laws in the U.S. in what could be a sign of legislative things to come in a post-European Union General Data Protection Regulations world.

The California Consumer Privacy Act of 2018, which goes into effect from 2020, mirrors many of the provisions of GDPR in that it puts strict regulations in place as to how online companies deal with customer data.

At its crux, the legislation gives California residents the right to know what data a company has collected on them as well as the ability to control what a company does with that data. Upon request, companies operating within the state must now disclose what information it collects, why it collects the data and to whom it sells the data. Consumers will have the legal right to compel companies to delete any data a business has gathered about them or opt out of their data being shared or sold.

The law further prevents companies from retaliating against customers who chose to opt out of their data being shared but does allow companies to offer financial incentives to customers in return for the right to collect data and share it.

In the event that a company fails to comply with the law, the state can impose a fine and consumers can sue a company for a breach of the law up to $750 for noncompliance or a data breach.

Absolute Software Corp. Global Security Strategist Richard Henderson told SiliconANGLE that “with GDPR now in full effect, I’ve been expecting legislation such as this to start to reach consumer-focused states in the U.S. for some time.”

Henderson believes other states such as New York and Massachusetts “will likely follow suit and draft their own citizen-friendly data rights laws” and that other states “will not sit on their hands waiting for a federal initiative that may never come.”

For companies, Henderson said, the law is much like data breach notification statutes in that they will likely have to follow the most restrictive rules and guidelines going forward.

“Much like GDPR, the time for businesses to act is sooner rather than later,” he said. “There are plenty of attorneys general who will not hesitate to go after companies who thumb their noses at these rules.”

Indeed, he predicts that this is the beginning of a new period of customer-focused data protections. “State and local governments have waited a long time for organizations to take care of this, and based on the colossal number of breaches and rampant digital thefts that continue to occur, they’ve had enough,” he said.

The new law raises concerns, however, in some quarters. The Information Technology & Innovation Foundation, a nonpartisan group that has received contributions from technology companies such as Google LLC and IBM Corp., said the bill is flawed, even if it will do “less damage” than a more stringent proposed ballot initiative it headed off.

“Billions of users around the world share personal data — often anonymously — in exchange for access to free content and services,” ITIF Vice President Daniel Castro said in a statement. “The system is not perfect, but it works.”

Castro said the bill will “undercut access to free content and services by prohibiting companies from penalizing consumers who opt out of sharing their personal data. This is like passing a law saying that consumers can opt out of paying for their meals, but restaurants can’t refuse them service. If there is no cost to consumers who choose not to contribute their data, then they will have little incentive to do so. California has just created a classic free-rider problem, and anyone who has studied economics knows it will not end well.”

The bill, he added, “should be wakeup call to Congress that it needs to pass federal legislation that preempts all state privacy laws and regulations, guarantees consumers notice and choice, and allows Internet companies to structure their business models as they choose.”

Photo: TBIT/Pixabay