Working under a very tight schedule, California State Legislature is up for its toughest digital privacy law (Bill AB375) in merely three months. With most of the work done in the last week, it seems it took very long four years for EU to frame its ‘GDPR’ data privacy law. At 31 pages and over 10,000 words, the California Consumer Privacy Act of 2018 requires compliance by January 2020. The law, signed by Gov. Jerry Brown, will change the way businesses handle customer data and would affect consumers nationwide.
A quick recap
- demands companies to provide a very clear and conspicuous link on their internet homepage, titled ‘Do Not Sell My Personal Information’.
- requires companies to notify its consumers in advance what information is being collected.
- makes companies inform consumers if the companies are selling, sharing or disclosing personal information.
- the right to know how that data will be shared with third parties.
- allows consumers to opt out of the sharing/ sale of their personal information.
- gives users a right to request that a business delete their personal information that has already being collected.
- ensures businesses must still give consumers who opt out the same quality of service.
- makes it more difficult to gather, share or sell data of children younger than 16.
- allows individuals to access to their data in a computer-readable form that they could take to other companies twice a year without any charge. (To encourage competition and innovation among service providers)
- allows companies to provide a discount in exchange for the right to sell or share some kinds of data.
Which information is affected?
Broadly all personal information that identifies or in any way relates to, directly or indirectly, a particular consumer. Examples of categories of information such as a name, alias, gender, postal address, race, unique identifier, IP address, email address, account name, social security number, driver’s license number or passport number; examples of commercial information, including records of property, products or services provided, biometric data, browsing history, search history and information regarding a consumer’s interaction with a website, application or an advertisement. These all are roughly included under – as the personal data of a user under the new law.
Which consumers are effected?
For now the law applies to California’s residents only. Having said that, it’s likely to have effect throughout the U.S. . The same kind of effect which has been seen to effect U.S. after EU’s GDPR privacy laws. Companies affected by the law would naturally decide to follow the same regulatory privacy practice in rest of the country. They are also are quite expected to push for a federal bill in order to offer universal privacy protections. Moreover the law’s enforcement could drive other states to pass their own laws. The effect could be similar to California’s data breach notification law of 2002 which led to similar legislation in all 50 states.
Which corporations are affected?
All companies that do more than $25 million in annual business or hold the personal data of 50,000 people or earns at least half of its revenue from sale of personal data comes under the new data-protection law of California. Which undoubtedly means a wide group while brushing away most of the small businesses in California. However healthcare data covered by Health Insurance Portability and Accountability Act, consumer report data governed by the Fair Credit Reporting Act, and personal information collected under Gramm-Leach-Bliley Act are all excused by the law. It is not a surprise that the Internet Association, a trade group whose members include tech giants such as Amazon, Google, Microsoft, and Uber, opposed the ballot measure, as did internet service providers such as AT&T, Comcast, and Verizon. Silicon Valley tech giants imply that the law has risked it all, from data gathering to retailer’s customer-loyalty programs.
What businesses must do to comply with AB375?
Businesses will have to make many changes in the ways consumer information is handled and will need to create new compliance programs. To implement the “right to know” – how personal data of customers is shared with third parties – businesses will need to provide at least a two contact mode, say a toll-free telephone number and a website address. Other methods of getting in touch may include mailing address, email address, web portal or any other means approved by the Attorney General. Since the new rule makes it mandatory for corporations to provide ‘Do Not Sell My Personal Information’ on their internet portal, restructuring of web page will need to be done. Then, once an organization receives a consumer’s request, it will need to create a compliance process to respond and document its actions in accordance with the law. Businesses must note that if there’s a failure to address an alleged violation within 30 days, fines stack up quickly to the tune of $7,500 per violation.
The tech industry says that the new consumer privacy law was rushed by the legislature. The National Retail Federation called the new legislation “deeply flawed”. Some advocacy groups, including Consumers Union dispute that the law is less comprehensive, less consumer-friendly than the ballot proposal; contains lots of vague, confusing and contradictory language which may fuel many legal fights. It will be interesting to see the attitude of government, consumers and most importantly businesses before the law goes into effect in January 2020.