Shortly after the European Union’s General Data Protection Regulation (GDPR) took effect in March, another regulation regarding data privacy has popped up here in the United States: The California Consumer Privacy Act is slated to go into effect starting January 1, 2020.
According to the regulation’s website, these are the rights it will provide to consumers:
- Right to know all data collected by a business on you.
- Right to say NO to the sale of your information.
- Right to DELETE your data.
- Right to be informed of what categories of data will be collected about you prior to its collection, and to be informed of any changes to this collection.
- Mandated opt-in before sale of children’s information (under the age of 16).
- Right to know the categories of third parties with whom your data is shared.
- Right to know the categories of sources of information from whom your data was acquired.
- Right to know the business or commercial purpose of collecting your information.
- Enforcement by the Attorney General of the State of California.
- Private right of action when companies breach your data, to make sure these companies keep your information safe.
The California law has some similarities to GDPR, but it also has some differences. California’s law is more focused on incidents where people are selling data, whereas GDPR is more vague in terms of specifically selling or giving data away, said Patrick McGrath, director of solutions at Commvault, a data management company. “That’s certainly an area that California is looking at, probably with the proximity to some of the major technology players.”
In order to prepare for this new regulation, companies need to first both be aware of and care about the regulation, and then start identifying issues as business risks. According to McGrath, IT often is the starting point here because they are typically more hands-on with data.
Organizations need to have effective risk management and set up information governance, which involves setting up decision-making and accountability within the organization for what to do with data. This creates additional policies internally that need to be aligned to different owners.
“I think it’s a good thing, holding companies to a much higher standard for how they deal with personal data that has a huge impact on individuals,” said McGrath. “But it’s going to have a huge impact on the companies too in a different way in terms of the measures they have to put in place. And it’s not just the technology thing. It’s very much a part of the business model.”
Additionally, IT has to be a solid partner throughout the entire process in order to ensure that policies scale in environments with large amounts of data. “There need to be scalable ways for people to be able to process that data and safeguard that data,” said McGrath.
“I’d really recommend, and if you take a look at GDPR, one of the first things that people ask you to do with GDPR, which they should be thinking about as well for the California Consumer Privacy Act, is what information are you actually holding,” said McGrath.
According to McGrath, organizations need to be going through their websites and other methods of communications with customers to ensure that they are asking for customer consent, that they are providing the right privacy and security policies, and that they have the right framework in place to let customer, employees, partners, or anyone that provides them with data about how that data is treated.
“Organizations should minimize their exposure in handling personal data, keeping only the personal data necessary to service direct business and legal needs,” said McGrath. “As a best practice, we encourage organizations to use archiving policies that identify instances of personal data, delete, encrypt and/or move data to more secure locations that are fully tracked. While education is helpful, automation is key. With the rapid adoption of cloud and SaaS application partners, data is becoming further distributed and it demands proper data protection coverage. Even if breached data was not stored on-premises under your direct control, it is still your responsibility to determine whether or not personal information could have been compromised, and if so, to enact notification procedures. They are your customers, prospects, donors, employees.”
The new law states that consumers involved in data breaches can sue for up to $750 per violation and companies may be liable for a penalty of $7,500 for each intentional violation. Beyond the heavy potential fines from violating, a company’s reputation is also at stake when data breaches happen. McGrath believes that those penalties will be dealt with in a fairly public way and companies may be highlighted for not taking proper care of data. This will result in a lack of trust for companies, which McGrath believes will be one of the defining characteristics of digital business. “I think we’ve seen evidence of what happens when that trust is broken,” he said.
People tend to think of these laws as compliance-driven constraints on their business, McGrath explained. “But I think if you put yourself on the individual’s perspective, I think you’ve got a right, even in terms of California constitution, to privacy, within certain bounds of course, and the expectation that people will just deal with your data in a responsible way,” he said.
The California Consumer Privacy Act website even states “Some of the very corporations that opposed our initiative came around and supported the legislation once they realized that Californians would no longer accept the status quo where companies profit from the sale of your personal information without your knowledge or consent.”
This is not the first time California was at the forefront of putting up regulations on tech companies. In 2002, the state created the Data Breach Notification Law, which then spread throughout other states in the US, McGrath explained.
McGrath believes regulations similar to the GDPR and the California Consumer Privacy Act will spread to other states as well. He believes this will be done at the state level rather than at the federal level, but remarked that it is often easier to have a standard operating procedure for data privacy rather than trying to leave it state-by-state of jurisdiction-by-jurisdiction.