New California Privacy Act Impacts Small Businesses and Data Gathering

In a week’s time, the California Legislature submitted and approved a landmark privacy bill called the California Consumer Privacy Act of 2018. AB 375 was passed unanimously 6/28/2018 and was signed by Governor Jerry Brown. This bill will affect all companies that do business in the state and collect data, effective 1/1/2020.

Highlights of the bill include: • Gives consumers the right to ask businesses for the types and categories of personal information being collected. • Requires businesses to disclose the purpose for collecting or selling the information. • Requires businesses to disclose the identity of the third-party organizations receiving the data. • Gives consumers the right to request data be deleted and initiate civil action if they believe that an organization has failed to protect their personal data.

It is remarkable that the bill was submitted, approved, and signed into law in a week’s time. In part, the legislators decided the bill was preferable to a planned initiative slated to appear on the ballot in the November elections. Over 600,000 California voters had signed their support for the ballot measure. Recent massive data breaches contribute to consumers’ concerns.

It is thought by some that modifications to a bill will be easier to make than to an initiative passed by voters. The Internet Association, whose members include Amazon, Facebook, Google, Uber and many other giant technology firms, has called AB 375 a "last-minute" deal that needs to be corrected. Opponents have expressed some previously used concerns for legislative changes on various topics, such as the bill will: • Confuse consumers • Hurt businesses and their ability to hire; a position held by a lobby group called Committee to Protect California Jobs which is heavily supported by the tech industry • Stifle innovation

The bill is similar to Europe's General Data Protection Regulation (GDPR) which went into effective in late May, 2018. Some global companies have already stated they plan to operate in all countries under the parameters of the GDPR. The California bill is the first of its type in the Unites States. California has the 5th largest economy in the world (largest than United Kingdom) and often is seen as a leader in legislation. Privacy proponents hope that other states will adopt similar bills.

Additional components of the bill include: • Gives consumers the right to opt out from the sale of their personal information • For children between 13-16, prohibits the sale of their personal data unless they specifically opt in • For children under 13, consent must be provided by the parent or guardian

Small Business Impact While the emphasis behind AB 375 may have been to target large data aggregators and sellers, it will impact all businesses that collect data from California consumers. Small businesses are included as well as the giant tech companies. Even if your business is not located in California but you collect data from Californians, you will need to comply.

The effective date is 1/1/2020, so businesses have about 18 months to strategize how they will comply. Small business owners should monitor the bill and any changes proposed in coming months. Owners should start conversations soon with their legal partners and insurance partners to discuss what steps the business may need to take to ensure compliance by 1/1/2020.

About the Author - Carolyn Schrader is a seasoned cybersecurity professional and founder of the Cyber Security Group Inc., providing corporate cybersecurity services to high profile clients.