California passes the USA’s toughest data privacy law to date

16th July 2018

It may only be July, but already it’s been a busy year in the data protection world. Back in May (and during the approaching weeks and months), GDPR dominated headlines the world over, as the EU brought in their new regulation to hand control of their personal data back to the data subjects. GDPR is designed to “harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshare the way organizations across the region approach data privacy”.

However, it’s not just Europe that wants in on the data protection action this year. Last month the California Consumer Privacy Act of 2018 was signed into law, which will bear some remarkable similarities to GDPR when it comes into effect on January 1st 2020.

Equivalently to GDPR, the California Consumer Privacy Act affords residents the right to “be informed about what kinds of personal data companies have collected and why it was collected, the right to request the deletion of personal information, opt out of the sale of personal information, and access the personal information in a readily useable format”.

So, what are the implications of the new law? Businesses in a variety of sectors need to look at their models and examine whether or not they are compliant in their current state. Companies that generate revenue through targeted advertising online need to ensure that the way they have gathered the information is transparent, and that Californian residents can have theirs deleted if they so desire. Companies that gather behavioural data through customers’ usage patterns (such as web browsing) need to ensure that people are aware of the information that is being collected and what it will be used for. Companies that sell data to third parties definitely need to stop and think.

As the name suggests, the California Consumer Privacy Act is not a nationwide law – it is unique to the state of California. Therefore companies that are affected by the legislation also need to work out how they will reformat their business practises; will they reform everything, everywhere to ensure they are legally compliant in California? Or will they find a way to segment Californian residents from the rest of their customer/user base, and treat them as a separate entity?

For California, now is definitely the time for businesses to ensure that all the data they gather, hold and use is in-keeping with the new Privacy Act. But should this just apply to Californians? It certainly seems like we could be reaching a new era of data protection the world over, so there’s no harm in taking some time to audit your company’s practises, regardless of where you are located. A great start is by ensuring that your HR and payroll are secure and that everyone’s information that you hold is safe and legal.

It might seem like a slog to revise your data protection policies, but remember, these new laws are designed to suit a new online climate that previous policy did not account for. Even if you do not reside in an area with one of these new laws, such as the EU or California, every single day your data is collected and used in a whole host of ways. The new legislation we are seeing across the world puts the data subject in control of that, so it’s important you do the same for your employees.