As various European countries begin to adopt their own data privacy laws to the EU’s own GDPR, Europe leads the world in data privacy regulations. Japan, India, South-American countries follow suit. However, in light of the controversies such as Facebook and Cambridge Analytica, the United States is hard at work to catch up to the digital privacy standards, starting at the state level.
The first of many states to pass its own digital privacy regulations, California proposed the California Consumer Privacy Act (or the CCPA Initiative) earlier this year in time for the November ballot. The CCPA is set to come into effect 1 January 2020, although businesses are advised to begin their preparations via data mapping and record keeping starting 1 January 2019 in order to be properly prepared in time for the law’s effective date.
Who does the new law effect?
The CCPA is intended to regulate all for-profit entities that exceed $25 million in gross revenue; or that annually buy, receive for commercial purposes, sell, or share for commercial purposes the personal information of 50,000 or more entities, which includes consumers, households, and devices; or that derive 50% or more of annual revenues from the sale of consumers’ personal data. Consumers in this case is defined as all natural persons who are registered as Californian residents under state tax regulations.
What data is effected?
The CCPA concentrates on the regulation of all “personal information” which in this case is broadened to define the identification or association with a consumer or household. Identification includes all demographics, usage, transactions, inquiries, education information, and preferences and inferences used to create a profile. However, public government records, de-identified data, and aggregate consumer information are excluded.
What is required of businesses?
A business must disclose and update every 12 months its online privacy policies, which should cover the description of the consumer’s right to request the collection of all personal information and the right to deletion of all personal information. A business must as well, at the point of collection, inform the consumers as to the categories of personal information collected and the intended usage of this information. Furthermore, businesses must allow for the consumer to refuse the business the right to sell the consumers personal information and still provide the same level of service to the consumer if they exercise this right.
How is it enforced?
The CCPA will be enforced by the California Attorney General with a civil penalty of up to $7,500 per violation of data subject. Businesses will, however, be given a 30-day cure period.
Implications
Comments