At midnight on May 25, the European Union’s General Data Protection Regulation (GDPR) became official and enforceable. Companies around the world that conduct business in Europe rushed to share revised data privacy terms of services with customers prior to that deadline.
The law literally transformed the way commerce is managed around the globe. Companies now have to be much more transparent about where data actually lives, how data is accessed and protected, and, when data is breached, how they plan to remedy those breaches.
As a result, other jurisdictions–especially those with multinational corporations that do business in the EU–followed the GDPR lead with their own regional regulations. California passed its own Consumer Privacy Act of 2018 a month later, on June 28.
Act Was Sparked by Facebook/Cambridge Analytica Issues
The new data privacy law is the state’s attempt to rectify the excesses revealed by Cambridge Analytica and other organizations lately in which consumer information was used, sold and frequently ravaged without consent. The California Consumer Privacy Act of 2018 imposes some requirements on companies in the state that dramatically change the way consumer information is handled.
The CCPA, as it’s becoming known, gives people access to the information that companies have stored, enables them to opt out of having their data shared and includes the EU’s concept of the right to be forgotten. The law also allows companies to compensate people for the sale of their data, and it provides for enforcement by the state attorney general.
As one might expect, the tech industry has vowed opposition to the new law–sort of. Facebook is already saying that it is in compliance. Other companies are suggesting that the new law might mean the end of the internet, perhaps a real inconvenience, or both. But in reality, it’s neither.
With these new laws and regulations in place, what comes next? IT industry watchers have their own theories, as do enterprises. In this eWEEK Data Point article, Digital River, a global provider of ecommerce solutions, offers some industry perspective on key points of California’s Consumer Privacy Act and how it compares to the GDPR, providing insight on how the business landscape is being transformed.
Data Point 1: Understanding where your business stands.
Similar to the GDPR, California’s new Consumer Privacy Act (CAL. CIVIL CODE § 1798.100-198) does not require a physical presence in the state. Instead, organizations must simply conduct business with California residents and exceed one of three thresholds:
- has annual gross revenue in excess of $25 million;
- derive 50 percent or more of its annual revenues from selling consumers’ personal information; or
- buy, receive for business commercial purposes, sell, or share for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households or devices, annually.
If your business meets these requirements, read the law in its entirety–reread it if necessary–to fully grasp the impact it will have on your company.
Data Point 2: Informing customers how their personal information will be used.
Companies that meet the Consumer Privacy Act criteria must inform consumers what type of personal information will be collected (for example, their name, email, phone number, etc.) and for what purpose, at the point of data collection. Companies also must be able to respond to individual consumer requests asking what specific type of personal information has been collected. With this in mind, companies should assess their reasons for processing data, and storage and processing activity must align with the law by its effective date of Jan. 1, 2020.
Data Point 3: Handling access requests.
Additionally, like the GDPR, consumers can request a full record of their personal information that is collected by a business. Under the California Consumer Privacy Act, businesses are required to disclose the type of personal information collected, where the personal information is collected, the business or commercial purpose for collecting or selling this information, and the type of third-parties with whom the information will be shared. This creates a unique need to have the ability to verify consumers’ requests for information, and requires tools to quickly provide access to the requested data. On the back end, companies must work together to honor the inquiries, logging them and tracking any actions taken in an easy to recall repository.
Data Point 4: Objecting to the sale of personal data.
Not only are companies required to track the data on file and how it’s used, they must proactively disclose if personal data is sold, which can be an exchange of data for other valuable consideration beyond monetization. Under California’s Consumer Privacy Act, businesses must give consumers the ability to opt out of sharing personal information with third-parties, and businesses cannot ask consumers to change this selection for at least 12 months.
Data Point 5: Processing children’s information.
Businesses must consider another set of requirements specific to minors. Parents are required to give consent regarding the sale of data for children younger than 13 years old, and businesses must track this adult consent. Children ages 13 to 16 years old can opt in themselves. If your company’s services could potentially target children, it is imperative to develop an age verification system before collecting any data to avoid potential non-compliance.
Data Point 6: Unprotected data comes at a cost.
Under both the GDPR and California’s Consumer Privacy Act, there is yet another common theme – improper management of consumer data will be penalized. The California Consumer Privacy Act carries potential fines up to $2,500 per violation, which increases up to $7,500 per violation if the violation is deemed to be intentional. One thing to note, other than for a few notable exceptions outlined in the law, California’s Consumer Privacy Act can only be enforced by the office of the Attorney General of the State of California. In addition, the law gives companies the opportunity to address their non-compliance issue within thirty days of notification before incurring financial penalties. To avoid financial loss and potential impact on consumer trust, an internal risk assessment is necessary to understand what data the organization collects and its data handling practices.