ISVs: Get Ready for the California Consumer Privacy Act

The California Consumer Privacy Act requires transparency and grants consumers control over the data companies collect and sell.

The California Consumer Privacy Act website’s homepage starts off by saying, “They said it couldn’t be done … But we did it anyway.”

On June 28, 2018, the governor signed AB 375 into law, “the most sweeping, comprehensive, and empowering consumer privacy rights in the country.” After 629,000 Californians signed the petition to put the bill on the ballot and some of the corporations that initially opposed the legislation became supporters, the California State Legislature passed the bill.

The California Consumer Privacy Act pertains to businesses that earn $50,000,000 or more per year in revenue, sell 100,000 consumer records annually, or acquire 50 percent of their annual revenue by selling personal information. The law applies to any company that collects or sells Californian’s personal data, whether the company is based in California, another U.S. state, or another country.

California Consumer Privacy Act Basics

Reminiscent of the EU’s General Data Protection Regulation (GDPR), the California legislation grants consumers the right to:

  • Know all the data a business collects about them
  • Delete their data
  • Be informed about the types of data that will be gathered about them before collection

But the California Consumer Privacy Act differs from GDPR by granting rights to consumers about the sale of their data. The new law allows consumers to:

  • Say no to the sale of their personal data
  • Know third-parties with whom data is shared
  • Know sources from which their data was acquired
  • Know the business purpose for collecting their data

It also mandates opt-in before the sale of data related to people younger than 16.

The legislation names the Attorney General of the State of California with the responsibility to enforce the law, and according to the law’s title and summary, “allows consumers the right to sue businesses for security breaches, even if they can’t prove injury.”

Helping Your Clients Comply

If you have clients who are putting the finishing touches on GDPR compliance, it’s time to review those policies for compliance with the California Consumer Privacy Act before January 1, 2020, when it goes into effect.

If you have clients who haven’t yet initiated policies to comply with new data management regulations, it’s time to evaluate their operations for risks and begin to build solutions that will keep them in compliance. Give priority to solutions that give a business and its customers transparency into data collected on an individual, how it is being used, and how to effectively delete all data pertaining to a specific person.

Also focus on ways that enable a consumer to communicate to a company that they do not want their data to be sold and, in turn, enable that company to ensure it can show that it did not sell that data. It will also be beneficial to give the company the ability to prove they had not discriminated against the consumer in any way because they denied the company permission to sell their data, which would be an action in violation of the new law.

It’s also an opportune time to make sure your clients have adequate security measures in place. The California Consumer Privacy Act increases fines and penalties for not having “reasonable security measures” in place to protect consumers’ data.

As with GDPR, it may be advantageous to help your clients adapt general policies that comply with the new law, rather than try to segment data belonging to California residents. It may also be worth offering your solutions to clients who currently aren’t required to comply — they may be required to comply with similar laws in the future.