Shortly off of the heels of the European Union’s General Data Protection Regulation (GDPR) privacy regulations, and public outcry over the disclosures and uses of personal data gathered by Facebook and Cambridge Analytica, California’s legislators passed a new privacy law that grants new consumer privacy rights to Californians.
AB 375, also known as the California Consumer Privacy Act, passed the State Assembly and Senate without opposition on June 28, 2018, and was signed into law shortly after. The California Privacy Act has far-reaching implications and will affect many different organizations, not just companies based in California. AB 375 is applicable to organizations that provide services to, or sell the data, of Californian citizens. Other states may follow suit and introduce similar legislation for consumer protections. Penalties for noncompliance with the California Privacy Act may require fines and payments of up to $7,500 for each violation, if alleged violations are not cleared or addressed within 30 days of notification by the Attorney General.The California Privacy Act has far-reaching implications and will affect many different organizations, not just companies based in California.
The California Privacy Act will take effect on Jan. 1, 2020, and ensures the following rights for Californian citizens, among others:
- The right to know what personal information is being collected about them.
- The right to know whether personal information is sold or disclosed, and to whom.
- The right to say no to the sale of personal information.
- The right to access their personal information.
- The right to equal service and price, even if privacy rights are exercised.
What should you do now to comply with the California Consumer Privacy Act?
Similar to GDPR, all organizations should review their businesses processes and control environments to ensure compliance with the California Privacy Act. Organizations should identify the information assets that may be subject to the California Privacy Act and identify where those information assets reside in the company’s environment. A review should be performed to determine whether the new consumer rights afforded to new Californians as listed above can be executed if necessary in the current state of system design. If the current state of system design does not allow for compliance with the California Privacy Act, determine what modifications must be implemented to meet the new requirements. A corrective action roadmap should be developed to ensure compliance with the act by Jan. 1, 2020. Processes and procedures should be implemented to track incoming requests from consumers with regards to their information privacy rights, and controls should be implemented in an organization’s internal control environment to monitor for completeness and timeliness for the processing of those requests. Keep an eye out for updates as provisions and amendments to the privacy act will most likely take place.
What should we do in the long term?
Beyond the immediate implications of GDPR and AB 375, all organizations should take information privacy just as seriously as information security. Consumer data collection is undoubtedly important to businesses since it helps enhance the customer experience and increase business efficiencies. Data collection will only increase as more businesses start to identify how data science and analytics can help them improve services or add new revenue streams.
However, organizations must consider the implications and responsibilities included with collecting consumer data, and proactively address the changing compliance landscape. The goal is not only to stay compliant with current regulations, but also to prepare for future compliance requirements and protect your organization from reputational damages.