It appears a wave of privacy legislation is coming that will affect business and not just those with a significant web aspect. Rather, the new wave will affect businesses with little to no exposure to the web.
To that point, the state of California has just passed the California Consumer Privacy Act of 2018 (the “California Act”). The California Act provides California residents with the right to dictate the personal information that a business may collect from them. This enactment was preceded by the City of Chicago’s proposed ordinance that will likewise afford Chicago residents with the right to “opt in” to a company’s use and distribution of their personal information. Whether purposefully or not, both the California Act and the proposed Chicago City Council ordinance are fairly consistent with the European Union’s enactment of the General Data Protection Regulation (“GDPR”) which became effective May 25, 2018.
The GDPR can somewhat misleadingly be said to provide rights to European citizens. It is, however, causing ripples throughout the world as companies that are not per se European act to change their policies and procedures to be consistent with the GDPR. This is occurring because the GDPR provides such rights when a company outside of the EU provides a good or service to those in the EU. Clearly, the GDPR is impacting American companies in unexpected ways and is, in many ways, inconsistent with current general American law.
The California Act is now the most consumer-protective online privacy law in the United States. It will take effect in 2020 and provides the right of California residents to request that their information be deleted and, essentially, find out to which companies their personal data has been sold. Critically, and previously unheard of in American law, this legislation provides consumers the ability to direct businesses to cease selling their information to third parties.
While one may wonder what importance this legislation has outside of California, note that the California Attorney General interpreted California’s existing consumer protection act, the California Online Privacy Protection Act, as applying nationwide. This means that businesses collecting consumer data from California residents are subject to its requirements, regardless of the state where such business is incorporated or conducts its operations. The reality is that both the California Act and the GDPR are causing other jurisdictions to get in line despite the absence of “local” laws that require the same protections.
With so much in the news lately about the misuse and abuse of data and personal information, it is reasonable to expect that comparable legislation will be proposed and ultimately enacted across the country. In the wake of this trend, businesses of all sizes that possess personal information – regardless of geographic location of management and/or operations – are well-advised to begin reviewing the information that they collect, possess and how they use it. Now is the time to begin implementing controls and, in some instances, deleting unneeded information, before the data that once was an asset becomes a liability from a compliance stand-point.
