July 05, 2018
California has passed the California Consumer Privacy Act, which will take effect in 2020. The law puts in place the strongest protections for consumers in the United States, comparable to the GPDR in Europe. Large internet businesses are protesting against the law, which may well be amended before it comes into place. Both large businesses and the ACLU think the act may have been drafted in too much of a hurry.
The key provisions include:
- The right to ask a business to reveal the personal information it has collected about them, the sources of that information, the purpose for collecting or selling it, and the type of third parties it is shared with.
- The right to request that their personal information be deleted.
- The right to opt out of the sale of personal information, with no discrimination against the consumer. However, companies would be allowed to offer incentives for collection of information.
- A ban on the selling of personal information of a person under 16 unless they specifically opt in.
- The right to sue companies over data breaches, if the company wasn't following reasonable security procedures and encrypting it..
The law is designed to target internet giants in the wake of the Cambridge Analytica scandal, and fortunately it contains measures to protect small businesses. Specifically, the law only applies to businesses that satisfy one or more of the following:
- Annual gross revenues in excess of twenty-five million dollars.
- Collects, buys, sells, or shares the information or 50,000 or more consumers.
- Derives 50 percent or more of revenue from selling information.
In other words, unlike the GPDR, the law does not apply to, for example, a sole proprietor who has a newsletter they send out to their customers, and is clearly meant to refer to large companies and to specialist marketing firms that broker information as their business. If you meet the requirements, you will have to, for example, have a toll-free number that customers can call to request information or deletion of information. While the law only applies to customers in California, practicality means that new privacy policies will apply to everyone. Many companies, while they may track physical location, will not want to write one privacy policy for California and another for the rest of the United States.
So, what should you do? For most businesses, even those involved in e-commerce, the answer is nothing...yet. If you have already strengthened your privacy policy to comply with GPDR, you should be safe for a while. Unless you fall into the specific categories referred to in the bill, the law does not apply to you. Remember, however, that "personal information" does include email addresses and, therefore, any website with more than 50,000 users is included.
If it does, then you need to do the following:
- Make sure your privacy policy clearly states what information you collect and how you use it. If you have updated for GDPR compliance then that should be sufficient or close, but you should double check. If you have not, then take both into account when crafting a new privacy policy. Have it read by somebody outside your company to ensure clarity.
- Ensure that you have a mechanism for customers to find out what information you have about them and request deletion. Note that if you are still actively using their information, you don't have to delete it, and there are a few other exemptions, such as if the information is needed to investigate a security incident or if you are using it in debugging. This is much lighter than the deletion requirements under GDPR, which should make the life of companies that operate internationally easier.
- Make sure that if you have customers under 16 (for example for online games), that you collect affirmative opt-ins from those customers or their guardians (for kids under 13) before the law comes into play. These opt-ins should cover exactly what information you are collecting.
- If you have a loyalty program tied to the sale of personal information, make sure that its terms and conditions are clearly written and cover what information you are holding or selling. Referral programs may also fall into this category. The law does allow for providing discounts or for charging people more for not providing their information, as long as it is reasonable.
- If you sell information, you have to make a page on your site titled "Do Not Sell My Personal Information" that enables people to opt out. It has to be accessible without being logged in and it has to include information about the law and its provisions in this area.
- Train employees who handle inquiries about privacy on the terms of the law. You might want to hold off on formal training until the final form is more clearly known. However, it is likely that some form of "right to be forgotten" will stay in the final form, as will the rules about declaring what data you collect. Ensure that all employees who have contact with customers know and have fingertip access to exactly what information you collect, buy, or sell. Making "cheat sheets" might be a good idea, especially for new employees and for the period right after the law comes into effect.
- Monitor developments as it is possible that some companies not currently covered by the law may be brought in during an amendment. Also, the California Attorney General will be working on regulations and procedures to enforce the law, and some of those may change what you should be doing and planning. The landscape is likely to change and it is also likely that some other states will follow suit, especially once California's law is in place and people can see how it is working in practice.
Again, most companies will not be affected by this, even if they collect personal information. However, with the developing landscape, this is a good time to review your privacy polices and ensure that they are clear, that customers know how to opt out, and that you are not collecting and storing data your business does not, in fact need. If you need more advice, particularly on training employees to comply with the new law, contact Lorman Education Services today.
Sources:
https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2018/07/03/the-cybersecurity-202-big-tech-is-going-after-california-s-new-privacy-law/5b3a4e081b326b3348addc76/?utm_term=.0375a92ea84f
http://time.com/5326166/california-approves-data-privacy-law/
https://money.cnn.com/2018/07/05/technology/data-security/index.html