New California Privacy Law May Reach Across the U.S.

New California Privacy Law May Reach Across the U.S.

How Companies Will Be Impacted by California AB 375

On June 27, 2018, the California legislature quickly passed into law Assembly Bill 375 (AB 375), the nation’s toughest privacy law in the United States to date. Known as the California Consumer Privacy Act (CCPA), the law goes into effect on Jan. 1, 2020, in order to give companies time to meet its requirements.

The new law, which is meant to create transparency and control for consumers over their data, its collection, and how it is used, will have consequences for businesses nationwide. Companies throughout the U.S. should be taking note and begin preparing now for sweeping changes.

What It Does
The CCPA impacts any for-profit organization or legal entity that does business in California that also collects the personal information of consumers either directly or through a third party. There are several conditions outlined in the new law such as:
• Companies must inform consumers of the data they collect and the purposes for which it is used.
• Consumers can require companies to delete their data and direct companies to cease the sale of their data.
• Companies will be required to disclose to consumers their right to request deletion of their data and their right to opt out of the sales of their data.
• Consumers can request a free copy of personal information the company has collected about them to be delivered within 45 days via mail or electronically.
• Companies that collect, sell, or disclose consumer data must disclose the categories of data that were collected, sold, or disclosed, as well as the third parties to whom the data was sold or disclosed.
• Consumers will have the right to obtain their data in a portable format such that it may be provided to another entity.

Legislative Reach
Interestingly enough, while the law was passed in the state of California, it will have an impact on companies throughout the nation and even the globe. For example, the state of New York often follows California where consumer legislation like this occurs so other states in the U.S. will most assuredly follow in the Sunshine state’s footsteps by enacting similar laws of their own.

Even before that happens though, companies across the nation who work with consumers in California and collect their data will be affected by the new law. This is because so much business is now transacted on the internet and the nature of data collection means all companies are on the hook. This is huge, especially for companies that collect data, store information, and/or warranty information.

Take for example the case of a graduate student from California. Should that student moves to New York for school, they are technically still a resident of California and are covered by the law as a result. This law really does reach across state lines to protect personally identifiable information (PII) so companies must be ready to comply with its requirements.

Why Now?
This law, which was vehemently opposed by many tech companies, was whisked through the California legislature this June. Lawmakers pushed it through quickly in an effort to avoid an even more restrictive voter-proposed initiative that was set to hit the ballot this coming November. By rushing it through and having it signed by Jerry Brown, California’s governor, on June 28, lawmakers were able to appease the group pushing the voter initiative which agreed to withdraw their ballot measure if the law were passed.

California State Senator Robert Hertzberg, one of the legislators who introduced AB 375, told Wired in a statement that, “We in California are continuing to push the envelope on technology and privacy issues by enacting robust consumer protections- without stifling innovation.”

Comparing It to the GDPR
While this law does have some similarities to the General Data Protection Regulation (GDPR) enacted this last May by the European Union, it is not as strict. Both legislative actions require companies to be transparent regarding their policies when it comes to collecting, storing, and selling PII. Both laws also require that certain information must be provided to consumers.

A major difference is that AB 375 calls for an “op-out” by consumers while the GDPR requires a stiffer “opt-in” for those willing to consent to the collection, processing, and sale of their consumer data. While the GDPR puts the burden of ensuring the transparency of their policies firmly on the shoulders of businesses, AB 375 leaves it to the attorney general to enact appropriate rules, procedures, and exceptions to ensure that data policies are simple enough for the average consumer to understand.

What’s a Business to Do?
Companies that do business with consumers in California and collect, store, and/or sale PII, will be required to comply with AB 375. Such businesses will need to reassess their policies and procedures. Business leaders will need to examine the following in addition to other items:
• Review and amend privacy policies and practices.
• Modifications to various workflows to effectuate requests from consumers.
• Reevaluation of and updates to overall privacy, governance, and compliance programs.
• Training for personnel to properly process new consumer requests for those exercising their rights under the law.
• Evaluation of security employed to protect consumer PII and the possible implementation of stronger security measures.

Options for Companies
With the new law going into effect in less than 18 months, companies will have to decide how they will move ahead. First, companies can adopt privacy rules that will be applicable to consumers only in the state of California. Another option is to enact sweeping changes that apply to all consumers which meet the California legislation requirement regardless of whether they reside in California or not. The latter may be the simplest way to move ahead given the fact other states are likely to follow California’s lead.

Whichever direction a company chooses to go, the fact is that companies dealing with data will now be forced to assess, and possibly modify, how they handle consumer data. If you have further questions about the impact this law has on your business, consumer data, or compliance, please contact Dox at (585) 473-7766.