Data Protection Officers up to their necks dealing with the aftermath of their General Data Protection Regulation (GRPR) compliance sprint might be forgiven for having missed the bill to enact the California Consumer Privacy Act of 2018. It’s a relatively light read compared to the GDPR – just 24 pages – and it covers some of the same ground that DPOs will be familiar with from the GDPR. A few highlights from the bill show that Californians will be getting similar rights over their personal information that EU citizens will be getting through GDPR…
…right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared. The bill would require a business to make disclosures about the information and the purposes for which it is used. The bill would grant a consumer the right to request deletion of personal information and would require the business to delete upon receipt of a verified request, as specified. The bill would grant a consumer a right to request that a business that sells the consumer’s personal information, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of 3rd parties to which the information was sold or disclosed.
As with the GDPR, there’s a bit of time to get used to the requirements of the California Consumer Privacy Act.
Although already signed off by the Governor, Jerry Brown, the act won’t be enforced until 1st January 2020.
All businesses dealing with California residents’ data – and that will be a lot of companies – will need to revisit their security, record keeping and data protection procedures and processes to ensure compliance not just with GDPR, but also with the CCPA – and whatever other state legislation comes along in the meantime!
The key difference for organisations between the GDPR and CCPA is the lawyers.
In the EU, regulators don’t have the resources to effectively police the GDPR at scale and will be reliant on self-reporting and whistle-blowing to catch and fine the worst offenders.
While the EU may be keen to extract its pound of flesh from the obvious big brands with deep pockets and enviable net effective tax rates, most organisations can expect a light touch with only the worst serial offenders likely to be hit with financial penalties.
Access to legal redress under GDPR by consumers in the EU is both slow and expensive in most countries. There will be a few headline cases funded by activist groups, but the European courts aren’t likely to be clogged up with GDPR cases.
The situation in the US is a little different.
One can imagine the legal profession salivating over the prospects of fees from all sides from this kind of legislation.
Lots of cash rich (whether through actual profits or mad VC funding rounds) Silicon Valley companies whose stock in trade is personal data to target with class action suits over breaches.
On the other side of the fence, corporate legal teams will be preparing their defences and adding numbers.
Individual citizens in the US are also much more comfortable than their EU counterparts at seeking redress through the courts.
The Attorney General of California’s handy one page summary of the proposed legislation includes this statement:
Allows consumers to sue businesses for security breaches of consumers’ data, even if consumers cannot prove injury.
It remains to be seen what effect the California Consumer Privacy Act of 2018 will have on citizen’s privacy and what the additional costs of compliance will be for businesses.
The one thing that does seem assured, though, is that the US legal profession can prepare for a sustained period of growth!
Need to speak to an expert about data privacy and protection?
Need help with your compliance strategy for GDPR and other data protection legislation?
Complete the enquiry form to arrange a no-obligation call to see if we can help.