In June 2018, California took consumer privacy to the next level by signing off on a new bill: California’s Consumer Privacy Law (A.B. 375). The new law protects consumer data privacy and institutes hefty fines for violations. It’s slated to take effect January 1, 2020.
To prevent being caught off guard like many businesses were with the EU’s General Data Protection Regulation (GDPR), there’s no better time than now to begin preparing. But before you get started, here’s what you need to know about California’s new law.
What the New Law Covers
Previously, businesses who shared data or experienced data breaches experienced little more than a slap on the wrist. That’s all about to change. Now companies like Equifax will be held more accountable for failure to protect consumer data.
Under A.B. 375, all companies that do business and collect data in California will be required to make transparent the information they collect, their purpose, and the third parties they share it with. Broad personal information covered under this law includes names, emails, social security numbers along with unique personal identifiers like geolocation data, shopping data, browsing and search histories, and consumer profiles.
Additional consumer benefits include allowing California citizens twice a year to request all of their personal information. Residents will also have the right to demand that their data is deleted and for companies to stop selling their data. The law will also protect consumers from losing access to services or being penalized with higher prices for services. Businesses will also be required to use clear wording and post a visible link on their homepage to allow consumers to opt out.
Failure to follow the law will result in serious fines. Consumers will be able to sue up to $750 for each violation. And California’s state attorney general will also be able to sue for up to $7,500 each.
How It Differs From GDPR (and Loopholes)
While the law is designed with consumer privacy protection in mind, there are some key differences from EU’s GDPR ruling. Unlike GDPR, California’s law doesn’t require opt-in permission to collect data. It also doesn’t require the right to opt out. Instead consumers must take the initiative to request info to opt out. Until that info is requested, it won’t be provided.
Companies also still have some wiggle room. For instance, if a company F has already sold your data to companies C and D, it’s too late to get that data back. You’ll have to contact those companies yourself, not company F.
Also not all businesses are legally required to comply with the new law. Businesses affected are ones that gross at least $25 million annually; interact with at least 50,000+ consumers; and make half of their annual revenue from selling personal data.
Start Planning Now
California’s Consumer Privacy Law isn’t perfect, but it’s a step in the right direction for consumers. If you’re one of the businesses affected by this new law, you still have a few months to get your ducks in a row.