What happened?
California has enacted a sweeping digital privacy law, creating new protections and rights for consumers’ personal information. The law, which goes into effect in 2020, gives consumers a greater right to know and control their personal data held by others. While similar in some respects, the new law is not as expansive as the EU’s General Data Protection Regulation (GDPR), which became effective last month. Still, the new California Consumer Privacy Act ranks among the most comprehensive privacy laws in the United States.
Expect changes to the law before it becomes effective. The California legislature passed the bill to avoid a ballot initiative set for November, which offered more protections but also more potential confusion and turmoil. Governor Jerry Brown signed the bill into law just hours before the deadline to pull the ballot initiative. The new law and its ensuing debate over amendments may set the tone for other state and national legislation.
How is the law similar to the GDPR?
The law grants consumers a host of new protections and rights for their personal information online. The act’s broad definition of “personal information” aligns more closely with the GDPR’s definition of “personal information” than the state's definitions of “personally identifiable information.” The act defines “personal information” to be “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
As with the GDPR, the new law gives consumers the right to know what information companies are collecting about them. It likewise allows consumers to know why companies are collecting their information and with whom they are sharing it.
Similar to the GDPR, Californians may require companies to delete their information, and not sell or share it. On websites, companies must place a conspicuous link that says, “Do Not Sell My Personal Information,” so consumers may opt out easily. Companies must give those who opt out of selling their information the same quality of service. Companies may, however, use financial incentives to entice consumers to opt in.
The law also includes additional protections for children. A company cannot sell a 13 to 16 year old person’s information without his or her consent. If younger than 13, the minor’s parent must consent.
Following a data breach, the law makes it easier for consumers to sue companies after a breach. It also allows California’s attorney general more power to punish companies who fail to adhere to data protection regulations.
How does this new privacy law affect businesses outside California?
The new law will apply to any for-profit entity that does business in the state of California and:
-
determines the processing of personal information collected by or for it;
-
has annual gross revenues in excess of $25 million;
-
buys, sells, receives or shares PI of 50,000+ consumers, households, or devices; or
-
50% or more of annual revenue comes from selling personal information.
The reach is broad, as few businesses can ignore the California market.
What should a business do in light of the new California data privacy law?
California’s law is not set to take effect until 2020, giving businesses time to prepare and take in any amendments. As with the GDPR, however, it is imperative for businesses to heed these coming requirements, and not let them sneak up on them.
