I receive from Russ Lowenthal, a smart colleague of mine, working in the USA, this piece of information. I thank Russ, and I agree with his comments! GDPR is in fact a trendsetter. BTW this morning I was discussing GDPR with other colleagues from Japan. They see market traction there and we want to address a set of activities. Last week a similar discussion for 4 french speaking countries in Africa…
California Consumer Privacy Act of 2018
3 July 2018
Last week California (the most populous state in the USA with an economy roughly the size of the United Kingdom’s) passed the “California Consumer Privacy Act of 2018” (CCPA) – this is the toughest data privacy law to date in the United States, far surpassing any other state’s data privacy law both in its requirements and in the penalties for improper handling of personal data. The law is enforced by the Attorney General of the State of California. For those who want to read the full 24-page text of the law, it is available here.
Most organizations doing business with a California resident will need to comply with the new law. Specifically, any company with annual gross revenue greater than $25M that collects, sells, or shares for commercial purposes the personal information of at least 50,000 consumers, households, or devices (think IOT).
Under the new law, personal data is defined as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked with a person or household. It includes biometric information, commercial transaction information, internet activity (including browsing history and IP address), geolocation data, employment data, education information – in other words just about ANY data collected about a person falls under this new law.
The CCPA codifies several new consumer rights – note: the number after the consumer right is the relevant section of the law
- Right of access: a consumer has the right to request what categories and specific pieces of personal information the business collects (1798.100)
- Right of deletion: a consumer has the right to request that the business delete any personal information that was collected (1798.105)
- Right to know: a consumer has the right to learn how their information was sold or disclosed, and to whom it was disclosed (1798.115)
- Right to be informed: of what categories of data will be collected about a consumer prior to its collection, and to be informed of any changes to this collection (1798.110)
- Right to control your own information: Consumers must be given the chance to opt-out before their data is sold to a third party (1798.120)
- Right to control information about your children: Consumers must opt-in before sale of their children’s information (under the age of 16) (1798.120.d)
- Private right of action: consumers have the right to take legal action when companies breach their data (1798.150)
If you’ve been following the European Union’s General Data Protection Regulation (GDPR), you’ll see that these rights align fairly closely with GDPR. Like GDPR, the CCPA discuses concepts like pseudonymization and anonymization, and while it does not mandate encryption it certainly calls it out as an important control with specific exemptions against having to report data breaches if the data is encrypted.
Also, like the GDPR, the CCPA imposes draconian penalties on those who fail to meet its requirements. CCPA allows each consumer to recover damages in the event of a data breach, setting a minimum damage amount of not less than $100 and not greater than $750. In other words, if you are trying to define the cost of a data breach for one of your customers it just became VERY easy to do for California – No less than $100 per record!