business California Consumer Privacy Act Paves The Way for Data Privacy Regulations August 20, 2018 Lost in the hype around GDPR, domestic data privacy regulations are picking up steam. With the much publicized implementation of the EU’s General Data Protection Regulation (“GDPR”) governing data protection and privacy on May 25, 2018, US companies were scurrying to assess its impact and applicability on domestic and international operations. This is no time to breathe a sigh of relief however as the California Consumer Privacy Act of 2018 was recently passed and could likely impact companies who escaped the tentacles of the GDPR. What is it? The California Consumer Privacy Act of 2018 (the “Act”) was signed into law on June 28, 2018 after being rushed into the California Legislature only a few days prior (partially as a result of the nuanced legislative process of California). Effective January 1, 2020, as currently enacted, the Act is applicable to all “for-profit” businesses that collect and control California residents’ personal information, do business in California, and: have annual gross revenues in excess of $25 million; or receive or disclose the personal information of 50,000 or more California residents, households or devices on an annual basis; or derive 50% or more of their annual revenues from selling California residents’ personal information. With effectivity not occurring until January 1, 2020, it is likely that the Act, as currently constituted, may be revised and or amended in the interim. Major Provisions The Act provides consumers (California residents for tax purposes) with the following “rights”: the right to know, through a general privacy policy what information a business has collected from them, where it came from, its use, whether it is disclosed or sold and to whom it is being sold or disclosed; the right to “opt out” of allowing a business to sell their personal information; the right to have a business delete their personal information; and the right to receive equal service and pricing from a business. The Act also prohibits businesses from discriminating against consumers exercising their privacy rights under the Act. Penalties The Act provides for civil penalties up to $7,500 per violation. In addition, the Act provides a private right of action that allows consumers to statutory or actual damages and injunctive and other relief, if their sensitive personal information is subject to unauthorized access and exfiltration, theft or disclosure as a result of a business’s failure to implement and maintain required reasonable security procedures. What should I do? If you have already undertaken procedures to develop various policies and procedures relative to compliance with the GDPR, EU-US Privacy Shield or other regulatory edicts, you should be able to leverage these efforts in evaluating your posture relative to the Act. Although the Act shares some similarities with the GDPR, it is less comprehensive in certain aspects. Your first step is obviously to assess the applicability of this law on your specific operations by doing a comprehensive analysis and inventory of the data you hold. Also, it is critical to note that even though this Act (or the GDPR) may not be applicable to your operations, it is highly likely that additional states will adopt similar measures given the highly publicized cases of data breaches that occur seemingly on a daily basis. You would be served well to address data security and privacy now, regardless of compliance requirements. Questions on Data Privacy and Security? Reach out to our Technology Experts today.