California Successfully Passes Data Privacy Law
To be legally required to comply with the law, a business must satisfy at least one of the three following criteria:
- Have annual gross revenues in excess of $50,000,000.
- Annually sell, alone or in combination, the personal information of 100,000 or more consumers or devices.
- Derives 50% or more of its annual revenues from selling consumers’ personal information.
Personal information is broadly defined under the new law. Some of the categories include personal identifiers, geolocations, biometric data, internet browsing history, psychometric data, and more. Under the new privacy law, organizations must provide customers the opportunity to opt out of the sale of their personal information. This comes at no price to the consumer; in fact, organizations are disallowed the right to charge these customers more for their services should they choose to opt out.
Similarly, organizations cannot deny services or provide less quality services to customers who choose to opt out. Also, under the new law, customers are granted the right to be informed about the types of personal data collected and why the data was collected. Customers can request the deletion of personal information at any time.
Impact of the New Regulation
Protections under this new law are governed and enforced by California’s Attorney General although the actual customers maintain the right to take action privately should a breach of law occur that personally affects them.
This new legislation, if successful, could serve as a model for the remaining states to follow. As passed, the new law technically only applies to California residents, but impact is expected to be more widespread as many organizations have nationwide customers, including Californians, which leaves them with a decision on how to comply with the newly passed law. They have the option to apply the law to all customers universally or attempt to identify California customers’ data separately while running the risk of missing data.
Similar to the impact of GDPR in European companies, organizations will need to implement internal controls to prevent or detect a data breach. Also, in the event a breach occurs, employees should be trained to properly handle and assess the situation in a timely manner.