California Successfully Passes Data Privacy Law

Amidst some serious data privacy scandals recently, public support for stricter data privacy policy has skyrocketed. In late June of 2018, the state of California successfully passed a consumer data privacy law that will significantly impact the way that organizations obtain, store, and utilize consumer information. The California Consumer Privacy Act, A.B. 375, is being compared to policies such as the General Data Privacy Regulation (GDPR) of the European Union. Although not as stringent as GDPR, this new law is said to be the one of the most momentous regulations supervising the data-collection practices of companies in the United States.

Requirements

To be legally required to comply with the law, a business must satisfy at least one of the three following criteria:

• Have annual gross revenues in excess of $50,000,000.
• Annually sell, alone or in combination, the personal information of 100,000 or more consumers or devices.
• Derives 50% or more of its annual revenues from selling consumers’ personal information.

Personal information is broadly defined under the new law. Some of the categories include personal identifiers, geolocations, biometric data, internet browsing history, psychometric data, and more. Under the new privacy law, organizations must provide customers the opportunity to opt out of the sale of their personal information. This comes at no price to the consumer; in fact, organizations are disallowed the right to charge these customers more for their services should they choose to opt out.

Similarly, organizations cannot deny services or provide less quality services to customers who choose to opt out. Also, under the new law, customers are granted the right to be informed about the types of personal data collected and why the data was collected. Customers can request the deletion of personal information at any time.

Impact of the New Regulation

Protections under this new law are governed and enforced by California’s Attorney General although the actual customers maintain the right to take action privately should a breach of law occur that personally affects them.

This new legislation, if successful, could serve as a model for the remaining states to follow. As passed, the new law technically only applies to California residents, but impact is expected to be more widespread as many organizations have nationwide customers, including Californians, which leaves them with a decision on how to comply with the newly passed law. They have the option to apply the law to all customers universally or attempt to identify California customers’ data separately while running the risk of missing data.

Similar to the impact of GDPR in European companies, organizations will need to implement internal controls to prevent or detect a data breach. Also, in the event a breach occurs, employees should be trained to properly handle and assess the situation in a timely manner.