Request a quote

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.


What does California’s new data protection law mean for businesses?

On 28th June 2018, a new piece of legislation called the ‘California Consumer Privacy Act of 2018’ was signed into law by California Governor Jerry Brown. Due to be enforced across the state from the start of 2020, the Act will give consumers more control over their personal data, enforcing stricter rules and penalties for businesses that handle customer data. This has caused many to compare it to the General Data Protection Regulations (GDPR) that were implemented across the EU and UK on 25th May 2018.

Though California’s new Act was approved last year, it came back into the news in February 2019 when a proposed amendment was filed to the incoming law. Filed on 22nd February, the proposed measure would allow consumers to sue businesses for monetary damages if they were accused of breaking the law. As it currently stands, companies will have a short window of time to fix alleged malfeasance. As Insurance Journal explains, organizations will have up to 30 days to prevent class-action litigation and other consequences mostly related to regulatory penalties.

The basics of the California Consumer Privacy Act of 2018

Currently, there is plenty of confusion around California’s new data protection law. Hastily signed into the law in June 2018 (just days after it was introduced into the California Legislature), it was introduced in place of a similar privacy ballot initiative that would have imposed even stricter rules for businesses. Public support for a possible ballot was bought about due to the Facebook Analytica Scandal and other major privacy scandals being brought to people’s attention in recent months.

The main reason for the confusion around the California Consumer Privacy Act (CCPA) is that the final regulations are still yet to be published and may not be until 2020. However, what we do know is that consumers will be given the following rights:

  • A business must notify consumers what Personal Information is being collected on them, how It is being collected and used, and whether it is being shared with others. If it is being disclosed or sold to other organizations, consumers would be made aware of who this is.
  • If a business intends to sell consumers’ Personal Information to a third-party, then consumers must be presented with a straight-forward process to opt-out of having their information sold. This involves adding a “Do Not Sell My Personal Information” link to their website homepage. Additionally, if consumers are under the age of 13, the business must receive consent from a parent or guardian instead.
  • Businesses must inform consumers that they have the right to request for businesses to delete any Personal Information they hold on them. Businesses must comply with these requests to delete information, and this includes ensuring it is deleted by third-party contractors.

As part of this, businesses and organizations cannot discriminate against consumers that exercise their rights under the new CCPA. For more information on the new law, check out New Jersey Law Journal's article.

What does California’s new law mean for your business?

Before taking action to ensure your compliance with CCPA when it comes into effect, you should check if it applies to you. If your business is a certain size and or doesn’t deal with Californian residents, then you may not need to worry just yet. However, other US states may soon follow suit with this new law. So, even if it won’t affect you in the near future, you should be aware of it.

Companies that will be affected include those that generate an annual gross revenue in excess of $25 million. They must also receive or share personal information of more than 50,000 California residents annually, and derive at least 50% of its annual revenue by selling the personal information of California residents. However, non-profit businesses are not required to comply with the legalisation.

Like GDPR, businesses that are required to follow the guidelines but fail to do so could face large fines. Additionally, if a fine isn’t bad enough, the potential damage to your company reputation following a data breach should be also be enough to convince you to ensure your compliance.

How to ensure your business is compliant with CCPA

Ensuring your compliance with the California Consumer Privacy Act of 2018 will be tricky currently as the final guidelines of the law are yet be published. Nonetheless, your business should be taking steps to implement what is required for you to provide the aforementioned consumer rights.

One thing to take note of is that even if your business is US-based, you must comply with GDPR if you do business with customers based in the EU or the UK. If this is the case and you have already ensured your compliance? Good news; you may have already done some the hard work you need to do to also comply with CCPA.

April 1, 2019