California’s New Data Protection Law

What You Need to Know

In response to widespread data privacy concerns, legislators have just passed the California Consumer Privacy Act of 2018. Here’s an overview of the new data privacy rights the law provides and what it all means for your business.

Much of the political drive behind the passage of the California Consumer Privacy Act of 2018 (CaCPA) came from major privacy scandals that have raised consumer awareness of their privacy rights and the privacy violations major businesses have made against their data. The Cambridge Analytica incident involving Facebook user data.

When the legislation goes into effect in January 2020, California will be building a path that will lead the nation regarding privacy and consumer protection issues. Its residents will be given control over their personal data. This law is not as extensive as the EU’s GDPR, but the requirements could impinge on established business models throughout the digital sector.

To prepare, organizations will need to adopt a new business strategy in which they weave privacy and security into their business model. They need to consider best practices for building trust between themselves and consumers to prepare for this and other new privacy requirements.

The New Data Privacy

Because many businesses today financially profit from the sale of consumer data, CaCPA may affect half a million businesses across the United States. It’s being described as landmark policy and is the first major data privacy law passed in the United States. The law will go into effect January 1, 2020. However, it’s expected that the law will be amended before that date to fix ambiguities and other issues arising from the one-week turnaround from draft to law.

Salesforce.com CEO Marc Benioff applauded the new law, saying it could help ease the “crisis of trust” between the technology industry and consumers. This crisis has been fueled by Facebook’s Cambridge Analytica scandal and other privacy missteps. Google has repeatedly faced FTC scrutiny over user privacy violations, and the company paid $22.5 million over its use of activity-tracking cookies on users of the Apple Safari web browser. This lack of corporate transparency has cost these companies dearly.

Consumers have become more aware lately of how little control they have over their data. People are beginning to see the impact of a data-for-service model, and grassroots movements are aligning with legislative power to return control of consumer data to their own hands.

Broadly, CaCPA guarantees Californians the right to:

• Know what personal information is being collected about them
• Know whether their personal information is sold or disclosed, and to whom
• Access their personal information

• Request a record of the types of data an organization holds about them, along with information about how that data is used for business purposes and third-party sharing
• Request to have their data erased
• Object to the sale of their data

The law continues to transform the way people think about privacy in the U.S. The Fourth Amendment provides what is called a “Right to Privacy,” but legally, the amendment has largely been upheld as a right to privacy against government authorities, including police. It has been weakly upheld, if at all, in relation to commercial enterprises. In effect, your home may be your castle, but your digital identity has been up for grabs.

What This Means for Your Business

If your organization meets one of the three following conditions, CaCPA applies to you:

1. Earns $25 million or more in annual revenue (it’s not clear whether this is California revenue, or global sales)
2. Holds the personal data of at least 50,000 people, households or devices
3. Obtains at least half of its revenue by selling personal data

The International Association of Privacy Professionals states that an organization must also meet all of the following conditions:

1. A sole proprietorship, partnership, limited liability company, corporation, association or other legal entity that is organized and operated for the profit or financial benefit of shareholders or other owners
2. Collects consumers’ personal information or has someone collect it on its behalf
3. Alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information
4. Does business in California

Any business entity that meets all these conditions will be subject to the law, regardless of where it is located. It’s estimated the law will apply to more than 500,000 U.S. companies, most of which are small- to medium-sized. It will also impact businesses outside the U.S., as long as they do at least part of their business in California.

As people found out with GDPR, a seemingly far-off deadline can arrive sooner than anyone thought. Affected businesses can take the following steps to prepare for January 1, 2020:

• Start updating privacy policies, California-specific rights pages and “Do Not Sell My Information” processes (if the latter applies).
• Consider alternative business models and web/mobile presences, such as California-only sites and offerings.
• Businesses selling or transferring data for business purposes should inventory all third parties that receive their data.
• Inventory all the information you collect, use and store that is of a personal nature. Also map the age of your data subjects.
• Make sure you have a designated method for submitting data access requests.
• Put in place new systems and processes to help you comply with new requirements, including:
  • Not requiring opt-in consent for 12 months after a California resident opts out
  • Verifying the identity and authorization of people making requests for data access, deletion or portability
  • Responding to requests for data access, deletion and portability within 45 days
• Monitor your cloud-based and mission-critical applications like Salesforce to ensure any potential breaches or data theft are quickly spotted and remediated. This can help protect you from the CaCPA’s penalty of up to $750 per resident and incident.
• Assess how you’re collecting and handling data and how easy it is to fulfill a consumer’s request as you consider aligning yourself with the data privacy movement as a business owner. The CaCPA doesn’t require privacy awareness training, but it can be a good opportunity to assess your existing training and conduct new training if necessary.

Err on the Side of Trust

Ultimately, this type of legislation reminds businesses that protecting data privacy is more than a matter of covering your assets. Consumers are fed up with being lied to and profited from without their knowledge or consent. Such actions betray an implicit trust that exists between a provider and a customer. Laws like CaCPA are reshaping the notion of consumer privacy and, at the same time, the need for greater corporate transparency.

Moving forward, businesses will have to adjust their privacy and security efforts to secure data and earn customer trust by adhering to privacy regulations. This requires the right people, tools, processes and plan. Get started now before the fines and consumer wrath start rolling in.