entreVIEW: CALIFORNIA BRINGS GDPR TO THE USA

Tuesday, July 10, 2018

CALIFORNIA BRINGS GDPR TO THE USA

American businesses were just getting used to compliance with the European Union’s General Data Protection Regulation (GDPR) when, on June 28, California Governor Jerry Brown signed into law the 2018 California Consumer Privacy Act (CCPA).

The CCPA was passed quickly with little debate after a consumer privacy organization agreed to withdraw a much broader privacy initiative that would have appeared on the November ballot. The law does not go into effect until January 1, 2020 and will likely go through several revisions as efforts are made to amend and clarify this hastily drafted piece of legislation.

CCPA is GDPR-like in the notification and access rights it gives consumers and may become the de facto national standard for how businesses use personal information to market their products and services. New systems, processes, and policies may need to be implemented.

Get ready for even more requests from individuals seeking access to or deletion of their data.

The same data mapping exercises performed for GDPR regarding personal data processed of EU residents will now have to be performed for Californians.

Here is a glimpse into some of the key provisions of the current version of the CCPA:

Must My Business Comply?

The CCPA applies to any business that collects personal information from California residents and:

Has annual gross revenues of $25 million or more;
Buys, receives, sells, or shares the personal information of at least 50,000 California residents, households, or devices annually; or
Derives a minimum of 50% of its annual revenue from selling California residents’ personal information.

Disclosures and Right to Opt-Out

Consumers must be able to opt out of the sale of their personal information and businesses are required to notify consumers of this right. The opt-out notification must list the categories of information collected about consumers in the past 12 months and identify whether the business sells or discloses personal information.

These disclosures must appear in the online privacy policy. Businesses must also provide a clear and conspicuous link on their website that says “Do Not Sell My Personal Information.” The link must allow consumers to actually opt-out of the sale of their personal information.

No Discrimination

A business cannot discriminate against a consumer because the consumer asserts any rights under the CCPA, including exercising their right to opt-out of the sale of their personal information.

Right to Deletion

With certain exceptions, California residents will have the right to have any personal information collected by a business deleted upon request.

Enforcement by Attorney General and Limited Private Right of Action

The CCPA is enforceable by the California Attorney General and authorizes a civil penalty of up to $7,500 per violation. California residents have a private right of action under the CCPA only when unencrypted information is accessed during a data breach. The withdrawn privacy initiative would have provided more private rights of action by consumers.

Outlook

California has always been a trendsetter in the United States relative to data privacy laws. It was the first state to enact a data breach notification statute in 2002. The ubiquitous privacy policies that appear on most websites are the result of a 2004 California law. CCPA will likely see significant modifications and amendments as we get closer to January 1, 2020. There is, however, no doubt that CCPA, along with the recently implemented GDPR, are indicative of a major shift in consumer expectations that goes beyond mere compliance with the law.

Some Practical Steps

If CCPA will apply to your business, here are a few steps you should take:

Perform data mapping as necessary to inventory the personal information collected on California residents, households, and devices.
Implement internal policies and procedures for handling data access requests.
Update privacy policies with new disclosures regarding data access and deletion.
Prepare incident response plans and teams as necessary to handle data breach notification requirements.

Businesses should all take a close look at how they collect, use, and share personal data. Data minimization and transparency are key principles to follow. You cannot lose what you do not have and your customers deserve to know what you are doing with their personal data.

Pages

Tuesday, July 10, 2018

CALIFORNIA BRINGS GDPR TO THE USA

No comments :

Post a Comment

Boston 28 State Street Suite 700 Boston, MA 02109 Main: 857.300.4000 Fax: 857.300.4000 Maps & Directions	Chicago 155 North Wacker Drive Suite 3000 Chicago, IL 60606-1787 Main: 312.920.3300 Fax: 312.920.3301 Maps & Directions	Dallas 2101 Cedar Springs Road Suite 1400 Dallas, TX 75201 Main: 469.983.6100 Fax: 469.983.6101 Maps & Directions	Denver 675 15th Street Suite 2650 Denver, CO 80202 Main: 720.931.3200 Fax: 720.931.3200 Maps & Directions
Kansas City 2345 Grand Blvd. Suite 2200 Kansas City, MO 64108 Main: 816.292.2000 Fax: 816.292.2001 Maps & Directions	Los Angeles 2049 Century Park East Suite 3500S Los Angeles, CA 90067 Main: 310.789.4600 Fax: 310.789.4601 Maps & Directions	Minneapolis 3100 IDS Center 80 South Eighth Street Minneapolis, MN 55402 Main: 612.632.3000 Fax: 612.632.4444 Maps & Directions	Overland Park 7300 West 110th Street Suite 150 Overland Park, KS 66210 Main: 913.451.5100 Fax: 913.451.0875 Maps & Directions
St. Cloud 1010 W. St. Germain Suite 500 St. Cloud, MN 56301 Main: 320.252.4414 Fax: 320.252.4482 Maps & Directions	St. Louis 7701 Forsyth Boulevard Suite 500 Clayton, MO 63105 Main: 314.613.2800 Fax: 314.613.2801 Maps & Directions	Washington, DC Suite 700 - The Watergate 600 New Hampshire Avenue, NW Washington, DC 20037 Main: 202.295.2200 Fax: 202.295.2250 Maps & Directions