California’s Version of GDPR: Applicable to Consumer Embedded Systems?
California recently passed an aggressive data privacy law. The California legislature passed AB375 (The California Consumer Privacy Act of 2018), which by most accounts, is a strong push for consumer privacy. The law, in summary, requires companies collecting consumer data to disclose to the consumer the types of data collected and allowing the consumer the option of opting out from allowing the companies to sell the consumer’s data.
The new California law is a step towards the GDPR. This has much of the same intent, however does not have the like exact goals, parameters, or negative reinforcement for not complying. Interestingly, the law requires the company to disclose the “category” of the third party receiving the consumer’s data, versus the name of the third party.
Consumers in California will, beginning on January 1, 2020 (the point at which the law takes effect), have the right to know all the data that has been collected for the individual consumer, to not allow their data to be sold, know what type of companies are receive the data, have their data deleted, the sources of the consumer data being sold, and other pertinent, germane facets of their data.
The headlines do indeed portray this as a far-reaching and direct victory for consumer rights. The general consumer thought is of this bringing the Google, Yahoo, and other internet-oriented companies to comply and be more transparent with their wishes. One should actually read the statute to garner a better understanding of the statute’s parameters. The California Consumer Privacy Act of 2018 does indeed affect businesses. As an example, section 1798.105 references a consumer’s right to request a business to delete any of the consumer’s personal information. On the initial reading, this would appear to affect all businesses collecting the personal information of a California citizen.
With this law, in general as it pertains to consumer’s data privacy, a business “...collects consumer’s personal information” (1798.140(c)(1)), has annual gross revenues greater than $25M (1798.140(c)(1)(A)), buys or receives the personal data of at least 50K consumers, households, or devices (1798.140(c)(1)(B), or derives 50% or more of the annual revenue from selling consumer’s personal information (1798.140(c)(1)(C)). As the statute is presently written, the “or” is important. Although this does narrow the potential field of companies having to comply to the statute, this would include the massive companies that comprise most of the work done in this endeavor. This statute also covers any device, which is any equipment that may connect to the internet or another device.
Embedded devices are throughout many industries and utilized with many devices consumers are in contact with daily, including vehicles. The connected vehicles have many opportunities to collect a consumer’s private information. If the person were to connect their cell phone to the vehicle with an app, the person’s contact list, smart phone call history, locations visited previously, credit card numbers, and other relevant data could be collected or in the least pass through the modules. With IoT devices, there may be present a portion of this data and other data points deemed confidential. These are only two examples of the many possible scenarios. In the present capacity, there is no legal advice and this is my opinion only, however, seemingly this new statute would apply to the embedded systems in vehicles, IoT devices, and other like devices collecting, processing, or managing a consumer’s private information and data in California. At this junction, this point is more of conjecture and to begin the thought process.
If this were to be applicable to these systems, there would need to be complete much updating to the code for the present and future hardware, the affected policies, and noticing functions for the consumers.
California Legislative Information. (2018). Bill text - AB-375 Privacy: personal information: business. Retrieved from https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375
California Privacy. (n.d.). Californians for consumer privacy applauds successful passage of groundbreaking legislation. Retrieved from https://www.caprivacy.org/
Lecher, C. (2018, June 28). California just passed one of the toughest data privacy laws in the country. Retrieved from https://www.theverge.com/2018/6/28/17509720/california-consumer-privacy-act-legislation-law-vote
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.