2018 was a pivotal year for those concerned with data privacy. Earlier this year the General Data Protection Regulation (GDPR) foreshadowed the coming shifts in the relationship between businesses, customers, and their data. Governments are defining how businesses can collect and use the private data of their customers and outlining the types of disclosures and permissions they’ll require going forward.
Expectedly, the U.S. is also beginning to pass new data protection legislation, with California going first with its CCPA (Also abbreviated CACPA). Paired together, the GDPR and the California Consumer Privacy Act of 2018 have outlined the fundamental principles and approaches that we can expect from the wave of consumers’ privacy laws, sure to come.
The CCPA and the GDPR have some similarities but they approach consumer privacy differently. Both apply to any company in the world that does business with the citizens under its jurisdiction. However, while the CCPA is more specifically concerned with consumer privacy rights, the GDPR more broadly covers how businesses should approach data security, management, and portability.
How The CCPA Became Law
The California Consumer Privacy Act passed through the state legislature quickly and unanimously as lawmakers rushed to avoid contending with a much stricter publicly generated bill and a November 6th deadline. State Assembly Member Ed Chau and State Senator Robert Hertzberg introduced the bill to defeat a tougher privacy-focused ballot initiative that had already garnered more than 600,000 signatures from state residents.
Californians for Consumer Privacy, the initiative’s authors said it would withdraw the initiative if a government authored bill passed by November 6th. The deadline forced the state legislature to fast-track the bill through the Senate and Assembly and across Governor Jerry Brown's desk by the end of the day. The law goes into effect on January 1, 2020.
Rights Protected By THE CCPA
California businesses have less than a year to restructure themselves to comply with the new regulation, but we advise all businesses across the country to begin familiarizing themselves with the types of consumer protections we might see with similar legislation. These new laws generally intend to allow the consumers to exercise certain rights over their privacy when dealing with businesses. So, what are these rights?
The consumers have the right to:
- The right to know what personal information the business collects about them, how the business collects it, what it uses the information for, and who’s buying the information if it was collected with the intent to sell it.
- The right to prevent the business from selling their personal information (or the information of their dependents 16 years or younger) to any third party.
- The right to ask businesses to delete their personal information, unless they are important for the transaction.
- The right to still get the same service and pricing as any other consumer, even despite exercising the privacy rights above, as provided under the Act.
How Will This Effect Businesses Outside California?
It’s important to remember that both the CCPA and GDPR apply to any company in the world that does business with the citizens under its jurisdiction. This means any company with relationships with California residents should take heed and begin making the necessary steps to comply with the new consumer data privacy law.
With the adoption of the CCPA, the writing is on the wall. It’s only a matter of time before the U.S. either passes its own federal version of the GDPR or states pass a patchwork of legislation individually that accomplish the same objective of regulating business consumer data collection and protecting customer data privacy.
As of March 2018, all 50 U.S. states, as well as the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands, have enacted breach notification laws that require businesses to notify consumers if their personal information is compromised. But California and Vermont have now both gone beyond breach notifications requirements and outlined significant regulations in the collection, sharing, and processing of consumer data.
We’re poised to witness privacy law changes all over the country. Businesses looking to avoid non-compliance penalties need to start implementing these requirements now. “Safe” today can easily mean “dead” tomorrow.