man in business suit hiding face behind a white balloon
PHOTO: Andrew Worley

In late June, in one of the most significant recent developments in the privacy landscape in North America, California passed the Consumer Privacy Act of 2018, the strictest privacy bill in US history. While the law won’t go into effect until Jan. 1, 2020 (and could be amended before its implementation date), its impact on organizations worldwide has been immediate.

Let’s take a look at what the law could mean for consumers and organizations.

California Privacy Act Creates New Rights for Individuals

What will this new privacy law mean for consumers?

The new law provides California consumers with a revised set of rights that are very similar to those granted to residents of Europe under the European Union’s General Data Protection Regulation (GDPR), which went into effect on May 25. 

Under the current version of California’s forthcoming law, individuals will be able to find out what type of data organizations have about them, how organizations use that data in business contexts and with whom the organizations share the data. Those rights closely mirror those that were granted to people in Europe under the Data Subject Access Request section of the GDPR.

And New Obligations for Organizations

California’s new law will impact organizations that collect people’s data in two significant ways. First, it will require them to disclose the identities of third parties to whom they sell consumers’ data. And second, and perhaps more importantly, it will give consumers the ability to object to the sale of their data. If companies opt to continue selling customer data, they will be required to create simple mechanisms that people can use to request that their data not be sold. Furthermore, organizations must ensure that they do not discriminate against customers who do not want their data sold to third parties.

Another significant provision of the new California law is that, like the GDPR, it will give consumers the right to request that organizations erase their data, with very limited exceptions.

Organizations will have to comply with the new law if they do any of the following:

  • Earn $24 million or more in annual revenue.
  • Hold the personal data of at least 50,000 people, households or devices.
  • Generate half of their revenue from the sale of consumers’ personal data.

Perhaps the most significant statute of the bill is that it gives people the “private right of action in connection with certain unauthorized access and exfiltration, theft or disclosure of a consumer’s non-encrypted or non-redacted personal information.” In other words, it will give consumers the right to take action if they discover that their personal information has been stolen or is being used in an otherwise unverified way.

Related Article: Privacy By Design Is About to Become Law: Is Your Organization Ready?

Compliance Measures Your Organization Should Take

What should organizations do to ensure they are in compliance with the new law?

The good news is organizations that have adopted GDPR compliance programs are likely already in the process of putting into place some — if not all — of the necessary policies, procedures and technical controls that they will need in order to comply with California’s new law.

First and foremost, organizations must know their data and know their employees. Every organization has sensitive data, from customer information and employee records to intellectual property and medical records, just to name a few examples. In order to appropriately protect this sensitive data and information, organizations must first understand the data they hold and the life cycle of that data within their businesses.

From there, organizations need to determine what the data and information is; how it is being created or collected; how it is maintained, stored and shared while it is being used; and, finally, how it should be destroyed. These are all key steps toward implementing better practices in protecting sensitive data and information that will allow organizations to better safeguard these valuable assets and better respond to consumer requests under the new California Consumer Privacy Act.

Related Article: Digital Supply Chain: Privacy and Security Considerations