California's spin on GDPR: Fewer teeth, bigger bite

When GDPR went into effect in May, it was expected that the European law would touch a lot of U.S. payment companies because of their international scope. Now it's clear that even purely domestic U.S. firms will have to adhere to some version of the data-privacy law.

California Governor Jerry Brown signed the California Consumer Privacy Act last week, giving the state the toughest data rules in the U.S. Like GDPR, California's law will pressure companies in other locations to follow its rules if they have any business that crosses into its jurisdiction.

For financial technology companies, card issuers and merchant acquirers, the California law applies many of the same pressures that GDPR does. The state law, which goes into effect in 2020, requires more transparency for third parties that handle data. It affects any company that uses application programming interfaces, software development kits and other open development tools to build e-commerce interfaces or digital payment gateways.

David Paul Morris/Bloomberg

Businesses will have to be more aware of the risk management and breach protection/response policies of the companies they do business with.

"The California law is similar to GDPR and it speaks to the privacy issues that are clearly outlined in GDPR," said Joe Prempeh, the global director of Data Privacy and Protection for Donnelley Financial Solutions, a Chicago-based data technology company.

There are a few important differences that make the California law weaker than GDPR. The European law gives consumers the right to ask companies to stop collecting information, while the California law gives people the option to ask companies to delete information or stop selling it—but the California law does not prevent companies from collecting information in the first place. There's also a chance technology industry lobbying will prune parts of the California law before it goes into effect.

But the rules governing data sharing and breach notifications for merchants that do business in California will certainly be stronger, and any partnership with or acquisition of a California company will bring an added data compliance burden.

"When one company acquires another, the acquirer takes on all of the risk under the California legislation," Prempeh said. "The acquirers could find themselves in a very delicate situation."

The California law is coming at a time when most companies are still grappling with how GDPR impacts their business. About half of European companies did not meet the May 25 deadline for GDPR. That's leaving a long and costly compliance battle, with the added challenge of the new California law and its downstream influence. "It's only a matter of time before other states follow California and pass their own laws," Prempeh said.

The European law has already enhanced investment in regulatory and data protection services, led to new use cases for blockchain and well-funded startups from large companies such as IBM and Mastercard.

These types of projects will accelerate as the California law adds more confusion to data compliance.

"Similar to GDPR, this could impact companies doing business all over the U.S. GDPR is about citizens or residents of the EU/EEA ," said Michael Hiskey, head of strategy at Semarchy. "If the California Consumer Privacy Act is the same, how do I know if a California resident isn't standing in New York or Chicago? So I have to do it for everyone."

To be on the right side of common sense data accountability, the only answer is to be ready with the "lowest common denominator" approach, or to wrap up customer data with a strong understanding of the "master" record for each customer and govern that data so that a company can provide it if asked or erase it, Hiskey said.

"The nice part is that it's like brushing your teeth. By forcing organizations to do this, they get ancillary positive benefits," he said. "It's like clean teeth and preventing gingivitis, but in this case, better customer data and avoiding regulatory fines for noncompliance.”