Taking inspiration from the European Union’s General Data Protection Regulation (GDPR) and motivated by the spate of recent data breaches, the California Consumer Privacy Act will provide Californians with the toughest consumer privacy protections in the country. While good for them, anyone doing business which deals with personal consumer information—even if they are not based in California—will need to comply.
The California Consumer Privacy Act (CCPA) does not go into effect until Jan. 1, 2020, notes industry expert Chrys D. Lemon, but it should serve as a wake-up call to anyone who deals with personal data: more regulations are coming. Lemon outlines what to expect in data privacy regulations and what California’s law may mean for you in his webinar for Eli Financial, “The New California Consumer Privacy Act: How to Comply With the Most Stringent Consumer Privacy Law in the US.”
California’s Law: Who Is Covered, Which Businesses Are Affected
The 2018 law, according to Californians For Consumer Privacy, will:
- Protect the ability of Californians to tell a business not to share their personal information. Consumers can request that any business collecting information on them disclose the categories of data being collected and who the information is going to and for what reason.
- Gives Californians control over the personal information collected about them and the right to not be discriminated against if citizens choose to tell organizations to stop selling their data either by higher fees, denied access to services, or changes in quality of service they receive.
- Holds businesses accountable for safeguarding that info. While current laws call for “reasonable security measures,” the new law increases fines and penalties for violations.
The law applies to businesses:
- With gross annual revenues in excess of $25 million
- Which annually buy, receive, sell, or share for commercial purposes the personal information of at least 50,000 consumers, households, or devices in California
- Which derive 50% or more of their annual revenues from selling consumers’ personal information
What The Law Signals: More Protection Regulations Nationwide
Marketers should be familiar with the law even if they don’t currently operate in the Golden State or the information of its residents because it is a sign of the types of consumer privacy laws they can expect to see everywhere soon, notes a CMS Wire article.
“While GDPR and the CCPA have dominated the headlines to date, marketers should anticipate the pace of regulation accelerating,” Rob Perry, vice president of product marketing at ASG Technologies, told CMS Wire. “Already, Georgia is working on its own privacy legislation. As organizations face more and more regulations, it’s essential that marketers understand the ins and outs of each regulation and adjust their tactics and strategies to be compliant.”
Get Ready To Delete Collected Information
Consumers may also ask that a business delete their personal information, notes the New Jersey Law Journal, and businesses must also inform consumers that they have this right, which extends to third-party vendors that a collector may deal with. There’s one key exemption to note, though: if the personal information is needed to complete a transaction, it does not have to be wiped out.
Other exemptions are if the data is needed to:
- Debug or identify and repair efforts that impair existing intended functionality
- Exercise free speech
- Engage in public or peer-reviewed scientific, historic, or statistical research that is in the public interest
- Comply with a legal obligation
“The CCPA has already been amended once, and may go through additional updates before it takes effect, but businesses should start to prepare now,” wrote Mark G. McCreary in the New Jersey Law Journal. “Privacy notices, other policies and procedures, and websites will need to be updated before the CCPA takes effect. At the very least, a business should start mapping the personal information that it collects and locations where personal information is stored so it can promptly meet any request under the CCPA.”
With the California law set to take effect and more likely to follow it, now is the time to begin preparing your business for new regulations, says Lemon in his webinar. Management, legal counsel, and privacy and compliance officers should be on alert: more protections are coming for consumer, data, and it looks like these will have real teeth.