A new privacy act in the United States which is comparable to GDPR is about to expose the country's ‘dreadful’ data practices, according to an expert.

The California Consumer Privacy Act was passed recently and will affect anyone with a revenue of over $25m that collects data on Californian citizens, anyone that processes the information of over 50,000 Californian residents or anyone who works with a third-party supplier based in California.

This will affect most major US businesses and means they are legally required to provide a report upon request on the types of data they have on a person, what they use it for and who they’ve sold it to or bought it from in the last year.

Companies have until January 2020 to become compliant and director of privacy for 1touch.io John Tsopanis says the move will have incredible implications for the country.

“The attitude toward data privacy in the US is dreadful,” he told BusinessCloud. “It’s blasé and negligent and there’s a lack of understanding about its importance. The protection of personal information is the cornerstone to a free and functioning democracy.”

The implementation of the Act will lead to the mass uncovering of the data practices of American companies, he says.

“It’s something that’s fairly in the dark right now but the practices are incredibly rogue,” he explained. “It’s essentially a mass network of data buying and selling companies in previously undiscovered webs.

"The changes will allow every journalist and citizen in California to uncover that and understand who their data is being bought from and sold to.”

Tsopanis says that although the legislation is currently not on the radar of most US businesses, it will be the most important cultural shift we’re going to see in America.

“The backlash from what will be found is not going to be pretty at all,” he said. “Americans don’t care about personal data so building the infrastructure to be able to track where that information is, is a monumental ask.

“The funny thing about the law is that it doesn’t require organisations to get explicit consent like GDPR does, though it’s what I hope the American public will push for once they become more literate about data privacy, but it does require organisations to know where all the data is.”

Tsopanis’s advice for companies dealing with the data of Californian citizens is to get cracking with data identification. However, ultimately it may well be a case of hoping someone else is a bigger scandal, or paying a company like 1touch.io to map their data for them.

“There will be a lot of juicy stories that come out from this,” he said. “There isn’t the appetite to change the way American companies do things but they are willing to throw money at a problem.

"In that way, the legislation has been brilliantly tailored to the psychology of the people actually implementing this.”

1touch.io goes into organisations and uses AI and machine learning to instantly map their data flows. Tsopanis spent years doing this manually, and when he heard about the company’s technology quit his job on the spot to join them.

“Having enough data points on a person allows companies to build psychological profiles which can cause unbelievable harm - as we’ve seen with Cambridge Analytica,” he said.

“When people understand that the tech they used was made available because all corporations are using the same techniques, well, I hope that revelation leads to some sort of sense check about data privacy in America.”