California passes furthest reaching privacy law to date

Privacy and data security concerns continue to spread in the United States.

On June 30, 2018, the California state legislature passed an unprecedented privacy regulation, the California Consumer Privacy Act of 2018, which takes many of its cues from the European Union’s (EU) General Data Protection Regulation (GDPR). The legislation grants consumers greater control over and visibility into their data and its use and propagation over the internet – a significant step up in data-collection oversight.

Rights and enforcement impacts

While the new California law is not as broad as GDPR, it does grant consumers (also known as data subjects):

  • the right to know: 1) what information companies are collecting about consumers, 2) why companies are collecting the data and 3) with whom the companies are sharing the data.
  • the right to tell a company to delete a consumer’s personal information and instruct the company to not sell or share the personal data. If a consumer opts out of his/her information being stored and/or used, the company must still provide that consumer with the same level of quality service.

Beginning with the law’s enforcement in January 2020, the potential fine for a compromise/breach or unauthorized release of personal data is steep ($100 to $750 per record). For example, if a company suffers a breach that affects 100,000 records that include personal information, that translates to a potential minimum fine of $10 million.

Why this matters

It is clear that we are entering an era of stricter data privacy regulations with increasing demand for oversight. California is likely only the first of many U.S. states to enact this type of protection and rights for data subjects. Any company that collects or processes personal information needs to understand the regulation, the impact of its compliance requirements and how customers/clients view data privacy. Start with building a sustainable privacy program to address these issues. Companies must ensure they have access to privacy expertise to evaluate how privacy, and new regulations such as GDPR and California’s Consumer Privacy Act, will affect their business decisions.

What companies should do now

With the increasing expectations and empowerment of consumers comes a growing need for greater transparency to a company’s data collection and processing approach. Following are essential steps to take now:

  1. Be transparent about the personal consumer data you collect/store and how you use it: Companies frequently have good reasons to collect and store personal consumer information. Be prepared to provide a detailed description of what data is collected and why it is used.
  2. Evaluate current systems and understand your data risk: Companies must conduct a privacy assessment to evaluate how the California law affects them and document the types of personal consumer information they currently collect. They must also understand the risks and benefits associated with existing processes, review policies and controls and be transparent about how those policies and controls protect the company and the consumer. Take steps to evaluate the systems in place and map out how the company will address data subject (consumer) requests regarding their personal information. Ensure there is a fundamental understanding of how the company handles personal consumer data retention, protection and disposal.
  3. Apply best practices: Upon completion of the privacy assessment, companies should update current and/or apply new data protection controls and processes within the company’s operations. Other practices to consider:
  • Ensure top-down support to drive the effort’s priority and awareness throughout the company.
  • Educate internal stakeholders on the importance of proper data management and the company’s expectations around privacy.
  • Consider the creation of a data privacy officer (DPO) within the company (a role required GDPR).

The evolving nature of data privacy continues to challenge business leaders. Those who proactively develop a sustainable data privacy program will be better prepared to address consumer concerns and provide an improved brand experience to their customers.