The new Privacy Law of California
California passed a consumer privacy act, AB 375, in late June 2018, which could have more repercussions on U.S. companies than the General Data Protection Regulation (GDPR) of the European Union which came into force this past spring. The California law does not have some of the most onerous requirements of GDPR, such as the narrow 72-hour window in which a company has to report a violation. It does, however, go even further in other ways.
The California Consumer Privacy Act (CCPA) gets a wider view of what constitutes private data than the GDPR itself. The security challenge, then, is to locate and secure those private data.
Your personal data has been a commodity for decades now, whether it’s your name, your place or your shopping habits.
About the California Consumer Privacy Act
When the California Consumer Privacy Act, or CCPA, enters into force on January 1, 2020, Californians eventually have certain rights over the data they collect from companies like Facebook and Google. While these protections have limitations, the very nature of this legislation is a win for the privacy rights of customers because it will bring improvements to a data collection system that has gone unregulated and unchecked for such long.
AB 375 enables any California consumer to request that they see all the information that a company has stored on them, as well as a complete list of all third parties with whom data is shared.
When is the CCPA required for a company?
The CCPA applies to any company that collects personal information of consumers alone or in combination with others, decides the purposes and means of processing personal information of consumers, conducts business in California and meets at least one of the following thresholds: has annual gross sales exceeding $25 million (may be changed from time to time); buys, sells, earns or receives annually.
For fact, businesses/ companies need their data monitoring systems by the beginning of 2019 because it allows customers the right to request all the data collected by a company during the previous 12 months.
The act only applies to “consumers”-residents of California or individuals residing in California who may be out of state for a temporary or transitory purpose. It should be noted that the definition of “selling” personal information includes renting, disclosing, distributing, making available, transferring, communicating orally, in writing or by electronic and other means to some other business (including affiliates) or to a third party for monetary or other valuable (not monetary) consideration.
The CCPA also refers to personally identifiable information found on any medium–not just information collected electronically.
What does CCPA mean in terms of security?
AB 375 is light on the security and breach response requirements. The law defines penalties for companies that disclose consumer data because of a malfunction or security lapse. It also requires courts to grant “injunctive or declaratory relief” and/ or “any other relief deemed appropriate by the court”.
Businesses are not required to report infringements under AB 375, and customers must file complaints before fines can be imposed. The best course of security action, then, is to know what data AB 375 describes as private data, and to take steps to secure it.