California Just Passed the Most Stringent Data Protection Law in the U.S.

True to form, California is leading the way and setting a precedent in reforming data protection for its residents. The goal is the same as with GDPR, to put ownership and control of personal data back in consumers’ hands and hold businesses to a higher standard when it comes to securing that data.

After days of intense negotiation from the likes of privacy advocates, cellular network providers, tech start-ups, Silicon Valley companies and others, new legislation recently passed.

Ready (or not), the California Consumer Privacy Act (CCPA), A.B. 375, which is being described by many as the most stringent data protection regime in the U.S., is setting the stage for sweeping changes on how companies both gather and make money off of consumer data across the country.

Be ready in early 2020 for the act – enforceable by the state’s attorney general – to go into effect. It will give California residents a variety of new rights regarding their personal information, including:

  1. Right to know personal information is being collected about them (and why)
  2. Right to know whether their personal information is sold or disclosed (and to whom)
  3. Right to opt-out of the sale of personal information
  4. Right to access personal information in a usable format that enables easy third-party transfers
  5. Right to equal service and price, no matter if exercising privacy rights or not

The legislation defines “personal information” as a consumer’s personal identifiers, browsing history, geolocation, biometric data and psychometric data.

The act actually calls out misuse of the personal data by Cambridge Analytica. Not surprising, as their handling of data was clearly the impetus the U.S. needed to make some big changes.

What companies will need to do to ready themselves:

Provide a toll-Free number and an email address for requests
Businesses must have a toll-free number and an email address for consumers to use for submitting requests. Within 45 days, a response must be delivered by mail or email with their personal information in a portable form to take to another business, if desired.

Create a place on website for opting-out
Companies will need to add to their websites a “DO NOT SELL MY PERSONAL INFORMATION” page with clear opt-out instructions.

Forgetting Consumers
Just like with GDPR, California consumers do have the “right to be forgotten,” but there are 5 different exceptions that I will save for another time.

January 2020 isn’t that far off. Start your process by asking consumers their state of residence as people relocate, and records might be outdated. Maintain all personal info in a secure location. If your business collects personal data from Californians, then understanding the new law and implementing new procedures around it are critical to getting ahead of the personal information curve.

Considering the cost and complexity of addressing these privacy rules, I would guess that most companies will not create a separate set of rules just for California. In fact, the new law could threaten established business models throughout the digital sector.

And, if these same privacy restrictions extend to ISPs like AT&T, it could force big changes to their growth strategies. For example, companies using web-browsing activity to build consumer profiles, which are then utilized for digital advertising would no longer be possible.

In actuality, the legislation has left the door open to amendments. As the attorney general works with the stakeholders, we are likely to see more specific guidance in the months to come. Keep your eyes and ears open as whatever this law ends up being will surely impact the rest of the country’s data privacy laws.