Consumer privacy law coming in 2020
On June 28 California passed a digital privacy law granting consumers more control over, and insight into, their online personal information. Though not as expansive as the European Union’s recently enacted General Data Protection Regulation (GDPR), the new law is one of the most significant regulations to watch over the data collection practices of online companies in the United States.
Called the California Consumer Privacy Act, the law grants consumers the right to know what information is being collected about them, why that data is being collected, and with whom it is shared. In addition, customers will have the right to demand that companies delete their information, as well as to not sell or share their data.
Predictably, the new law will also make it easier for consumers to sue companies after a data breach, and gives the California attorney general more authority to fine companies that don’t play by the rules.
Signed into law by Governor Jerry Brown, the legislation goes into effect in January 2020 and is modeled closely on a ballot initiative proposed by real estate developer Alastair Mactaggart (photo above). Mactaggart spent over $3 million and gathered over 600,000 signatures to get his initiative certified.
However, concerned that rankled technology companies would outspend him and reverse public opinion before November, Mactaggart agreed to pull the initiative in exchange for the passage of the California Consumer Privacy Act.
“I feel like it’s the first step, and the country’s going to follow. Everybody is finally waking up to the importance of digital privacy.”
— Alastair Mactaggart / San Francisco real estate developer
Consumer rights under the law
Proposed rights under the new California Consumer Privacy Act:
- Right to know all your personal data that is collected by a business
- Right to be informed of what categories of data will be collected about you before it’s collected
- Right to be informed of any changes to data that’s collected
- Right to have your data deleted
- Right to say no to the sale of your data
- Right to know the categories of third parties with whom your data is shared
- Right to know from where your data was acquired
- Right to know why your personal information is being collected
- Right to sue companies after a data breach
- Mandatory opt-in before sale of children’s information (under the age of 16)
- Enforcement of the new law by the California attorney general
More headaches for small business?
For smaller businesses, the new law may not be as scary as it sounds. To be affected a company must fall into at least one of the following three categories:
- Have annual gross revenues in excess of $25 million ($25,000,000)
- Annually buys, receives, sells, or shares (alone or in combination) for commercial purposes, the personal information of 50,000 or more consumers, households, or devices
- Gets 50% or more of its annual revenues from selling personal consumer information
Don’t panic just yet
Even if you’re included in one of the above categories, the California Consumer Privacy Act won’t go into effect until January 2020. Over the next 18 months, lawmakers claim that they’ll work to resolve any issues that emerge — particularly as they relate to potential consumer lawsuits. Just don’t wait too long to get organized. The GDPR caught many U.S. businesses by surprise and a lot of IT departments are still scrambling to comply.
What is the GDPR?
The European Union’s General Data Protection Regulation (GDPR) went into effect on May 25, 2018. In short, it is a complex and sweeping consumer privacy regulation that imposes severe fines on companies that collect, store, and share personal information from residents of the European Union (EU), regardless of the where that company is located.
Although your company may target a very narrow slice of the globe far away from the EU, it would still be prudent to update your website to reflect the spirit of the new regulations. Privacy is an incendiary topic and it makes sense to keep in line with current legal trends — wherever they may originate. Besides, I suspect that the United States (and the rest of the world) may follow suit with equally rigorous standards in the future. Learn more