Privacy Lockdown: California Consumer Privacy Act of 2018

Since the implementation of the EU’s General Data Protection Regulation (GDPR), data protection and privacy have been at the epicenter of ecommerce discussions for some time. And as of June 28th, 2018, that discussion is larger and louder than ever.

What happened on June 28th, 2018?

In case you missed it, on June 28th, 2018, California Governor Jerry Brown signed a bill that successfully passed the California Consumer Privacy Act of 2018 (the “Act”) as law. This new law gives data and privacy discretion back to the consumer and officially awards five new privacy-related rights to California residents. Under the law, businesses must remain compliant with these new rights and must do so by providing notices within their privacy policies, as well as upon consumer request, on the who, what, where, when, and why of their data collection.

 

What are the official rights named in the Act?

The five new privacy rights listed in the Act are as follows:

  • The right of Californians to know what personal information is being collected about them.
  • The right of Californians to know whether their personal information is sold or disclosed and to whom.
  • The right of Californians to say no to the sale of personal information.
  • The right of Californians to access their personal information and delete the information upon request.
  • The right of Californians to equal service and price, even if they exercise their privacy rights.

Who is protected under the Act?

The Act protects California-based consumers. As defined by the law, this means any business based outside of California, and even outside the U.S., that sells to Californians is required to comply with the Act’s provisions.

 

So what does this mean for businesses?

In short, this means it’s time to embrace change. While some U.S. operations felt virtually unscathed by the rollout of GDPR, many of those businesses will have to make their own series of adjustments to remain compliant with the Act. However, only certain businesses will be affected.

The Act defines a “business” as an operation meeting at least one of these requirements:

  • Annual gross revenue in excess of $25 million
  • Processes information of 50,000 or more consumers, households, or devices
  • Derives at least 50% of annual revenue from selling personal information

While many modest small businesses might not meet these thresholds, it’s still important to note that intricate privacy and data protection laws are making their way to the United States. With that in mind, it isn’t a bad idea to get on board with compliance sooner rather than later.

 

How similar is the Act to GDPR?

Not very similar. While the Act and GDPR have some crossover, such as the general privacy rights granted to consumers and what they can request of their personal data, both laws are fundamentally different with regards to what they require of compliance.

Some of the topics that appear in GDPR that do not appear in the Act are:

  • Collection of clear, unambiguous consent
  • Procedures for data breaches and data breach notifications to consumers
  • Data security implementations, such as Data Protection Officers
  • Cross-border data transfers

The primary focus of GDPR was to create an all-encompassing law that outlined detailed, specific, and binding requirements for all businesses to uphold and maintain with regards to consumer privacy and data protection; the Act is a less comprehensive means of providing additional disclosures and information to consumers on how their data is processed, in addition to opportunities to “opt out” of its collection or use.

 

How long does a business have to disclose or delete consumer information?

As outlined in the Act, businesses have 45 days to respond with the actions or information requested. A 45 day extension can be granted to a business, so long as the extension is communicated to the consumer within the initial 45 day window. Additionally, a business is not required to delete consumer data, so long as its collection and storage is relevant to the needs of that business to provide a good or service to its customers.

 

So if I’m compliant with GDPR, does that mean I’m compliant with the Act?

Don’t be fooled. While GDPR and the Act have similar provisions on consumer rights, GDPR does not subsume the Act. The main difference between the two laws is their consent methods. GDPR requires a consumer to “opt in” and give expressed, unambiguous consent to the collection and use of their data; the Act implements an “opt out” method.

Furthermore, the Act features one major difference – the right of a consumer to request their data not be sold. This ‘Don’t Sell My Data’ option may require organizations in the business of selling data to implement separate opt-in and opt-out methods for GDPR and the Act’s respectively governed regions.

 

What is the foreseen impact of the Act?

The Act could open the gates for larger data and privacy laws to take effect throughout the United States. While the Act does not take effect until January 1st, 2020, there is still time for refinements and amendments to be made. In the meantime, the earlier compliance can be made, the better.

As with GDPR, companies should start formulating compliance and implementation strategies to accommodate the forthcoming changes. While 2020 seems like quite a ways away, it’s best to prepare now so you don’t have to pay later.

 

What should I do now?

Stay aware and prepare. Since the Act is still in its infancy stage, it can almost be guaranteed that change is in its foreseeable future. With the number of businesses trying to dispute its provisions (*cough* Facebook *cough*), it is unclear what those changes might be at the moment. However, rest assured we will be here with updates, insight, and ways to prepare for the Act along the way.

If you have any questions about the Act, GDPR, or compliance please reach out to an UpSellit Compliance Expert at hello@upsellit.com.

Leave a Reply

Your email address will not be published. Required fields are marked *