Recently, California Assembly Bill 375 ( AB 375) which is known as the California Consumer Privacy Act was enacted in California in a expedited political process. If your company is in Iowa, you may wonder why we would encourage you to familiarize yourself with a law that was just enacted in California and, in fact, does not go into effect until January 1, 2020.
Well, because we believe the California Consumer Privacy Act ("CCPA") is just the beginning of a movement by consumer privacy protectionists to change the way consumer information and data is collected, maintained, used, stored and monetized by businesses throughout the United States. On many levels, the CCPA is a very watered down version of the General Data Protection Regulation ("GDPR") which went into effect on May 25, 2018 in the European Union (including the UK).
The GDPR requires businesses to protect the personal information and privacy of EU citizens. It is beyond the scope of this blog post to delineate all of its provisions but suffice it to say that GDPR is as onerous in scope as it is aggressive in enforcement tools. GDPR expands the definition of what one commonly considers personal identification information and requires a "reasonable" level of protection by businesses for this information. However, it remains to be seen what is "reasonable." GDPR, like CCPA, was enacted to address the increasing concern and lack of trust by consumers that their personal data is being properly stored and protected by businesses and their fear that their date is being resold by those same businesses. While GDPR and CCPA do not mirror each other in terms of compliance requirements or consumer consent (and actually conflict in some provisions), both laws seek to curb the use of consumer's personal information by businesses and to put the control of that use in the hands of the consumer.
CCPA is a "heads up" to businesses across America that deal with and maintain consumer data which is virtually all businesses, large and small. CCPA gives consumers the right to know what information is being collected about them, what the source of that information is, what their information is being used for, whether their information is being used or sold to third parties, and who their information is disclosed to.
Importantly, CCPA gives the consumer the right to "opt out" of permitting businesses to use or sell their personal information to third parties or the consumer can require the business to delete their personal information. And those are just a few of its unique provisions.
We believe CCPA is just the beginning of a wave of new laws and regulations that will be implemented in many states and perhaps at the national level to address the increasingly loud complaints of consumers about privacy concerns about their personal data. Along with laws like CCPA come increased compliance responsibilities, increased compliance costs, operational changes in the way businesses obtain, use and store data as well as the potential threat of litigation arising from same.
Please contact the Lerman Law Firm if we can be of assistance to you in addressing compliance with the ever changing landscape of compliance with data protection and privacy laws.