9 August 2018
The game is changing again for organizations and their data privacy practices as a result of a new California law.
Organizations worldwide are already feeling the impact of the General Data Protection Regulation (GDPR) that went into effect in the European Union on May 25, 2018. Data privacy and security issues remain top-of-mind concerns for businesses and consumers alike as a result of the GDPR and other regulations, as well as recent privacy-related events. Now, California has upped the ante with the passage of the California Consumer Privacy Act of 2018, a trailblazing privacy law that will take effect January 1, 2020. Similar to how the GDPR affects all organizations operating in the European Union, the California Consumer Privacy Act impacts any organization worldwide that conducts business in the state and collects data on California residents. Among other mandates, it requires these businesses to disclose personal information they store, for what purpose the information is stored and with which third parties it is shared.
One of California’s primary objectives in passing this law is to provide consumers an effective way to control their personal information by ensuring the following rights:
- The right of Californians to know what personal information is being collected about them – Consumers gain the right to request that a business disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected and the business purposes for collecting the information.
- The right of Californians to know whether their personal information is sold or disclosed and to whom – Consumers gain the right to request that a business that sells their personal information, or discloses it for a business purpose, disclose the categories of information that it collects and the identity of third parties to which the information was sold or disclosed. The law also requires a business to provide this information in response to a verifiable consumer request.
- The right of Californians to say no to the sale of personal information – Consumers may opt out of the sale of their personal information by a business without penalty.
- The right of Californians to delete their personal information – Consumers gain the right to request deletion of their personal information and businesses would be required to delete this personal information upon receipt of a verified request.
- The right of Californians to equal service and price, even if they exercise their privacy rights – The law prohibits a business from discriminating against consumers for exercising their right to opt out of the sale of their personal information, including by charging any consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to the value provided by the consumer’s data.
Commenting on the new law, California State Senator Robert Hertzberg said, “Today the California Legislature made history by passing the most comprehensive privacy law in the country. We in California are continuing to push the envelope on technology and privacy issues by enacting robust consumer protections – without stifling innovation.”
It is reasonable to assume that, along with the GDPR, the passage of the California Consumer Privacy Act could become a catalyst for other states to pass similar or identical data privacy laws for their residents. The new legislation gives Californians the right to see what information businesses collect on them, request that their information be deleted, obtain access to information on the types of companies to which their data has been sold, and direct businesses to cease selling that information to third parties.
The bill shares some requirements of the GDPR, yet there are notable differences. Under the GDPR, businesses are required to obtain users’ permission before collecting and storing their data. The California Consumer Privacy Act allows companies to offer different services or rates to consumers based on the information provided and must be "reasonably related to the value provided to the consumer by the consumer’s data.” In addition, the new California law contains no requirements regarding appropriate security measures organizations must take, unlike the GDPR.
Key Considerations and Steps to Take
Organizations should immediately review their data handling and collection practices to determine whether they store California consumer data, the purpose for collecting and storing this data, as well as the third parties with which this data is shared. Many organizations are subject to handling and/or selling California consumer data. Therefore, affected companies should initiate investigations to ascertain what data is being collected, along with the purpose of the data collection and how long the data is being stored. Subsequently, controls must be implemented to mitigate the associated risk of collecting, storing and/or selling consumer data that may not be in compliance with the new law.
In addition, organizations need to make sure they will be able to respond to consumer requests. Many companies are not in a position to respond effectively to these types of requests and will require significant data inventory and management processes.
These options are intended as guidance only. Every organization may need to implement strategies depending upon business constraints and technical limitations.
Privacy laws such as the California Consumer Privacy Act and GDPR continue to reinforce the theme from government and regulatory authorities that protecting consumers and promoting responsible innovation are of the utmost importance. In addition to preventative measures such as those outlined above, organizations must work on maturing their information collection practices; implementing controls that secure and detect sensitive data; and developing, refining and testing robust response procedures. A significant number of organizations are not fully aware of the data they are collecting, where it is stored or how it is shared. In addition, many organizations mishandle the response activity, often failing compliance audits and/or experiencing fallout from a breach. (Protiviti, in partnership with Robert Half and the multinational law firm Baker McKenzie, has published a resource guide to help organizations understand, prepare for and operate under the GDPR. Understanding the General Data Protection Regulation: Frequently Asked Questions is available at www.protiviti.com/GDPR.)
For these reasons, despite having an 18-month window, most organizations can benefit from performing an initial assessment now to determine if they are currently in compliance with the new California law and identify gaps to address. If the GDPR provides any lessons learned, it is that organizations typically require 12 to 18 months to meet these types of requirements and develop sustainable processes for compliance.
We will continue to report on these important issues as they evolve.