Companies that don’t have European customers may have felt a bit smug last year as those businesses with data on EU subjects worked frantically to come into compliance with the General Data Protection Regulation (GDPR).
Now the shoe is on the other foot: businesses that did the work for GDPR have a head start on compliance with the California Consumer Privacy Act, scheduled to take effect in January 2020. The new law applies to any company that does business in California and has data above more than 50,000 people or revenues more than $25 million. In fact, you need to make sure any business you sell customer data to also complies with the law, meaning it potentially reaches far beyond California.
California Consumer Privacy Law Provisions
Like GDPR, the law has several provisions, and like GDPR, you’ll be penalized if you fail to satisfy the regulation. Fines are set at $7,500 per violation, and if that seems low, multiply it by the number of customers whose data you store to understand the true cost.
Some of the provisions of the California law match the provisions of GDPR, and others are distinct. The law requires the following:
• allow customers to see the data you collect about them
• allow customers to request their data be deleted
• allow customers to opt out of having their data sold
• allow customers to limit how their data is used for online advertising
Satisfying the California Consumer Privacy Law
Nobody likes reading privacy policies online, and you can’t bury your compliance with the above rules in a block of text no one will read. The law requires websites provide a conspicuous place labeled “Do Not Sell My Personal Information.” It’s also important for businesses to understand that “sell” does not necessarily require that you receive money in exchange for the data.
As with GDPR, compliance requires understanding your data. Know where you collect personally identifiable information and how it is used by your organization. Expect to invest time in training your business units so they understand what they can and cannot do with the data they collect. Identify (or define) procedures to allow data to be extracted and sent to consumers and to update or delete it upon their request.
Although the law may still undergo some modifications, you should start preparing for compliance now. Many organizations found complying with GDPR to be more challenging than they’d anticipated, and some have felt the impact of noncompliance penalties.
VAST IT Services has experience with the GDPR compliance process and provides support for tools that make compliance easier; this expertise provides a strong foundation for implementing compliance with the California Consumer Privacy Act. Contact us to learn more about what you need to do to protect consumers and your data to comply with these new privacy regulations.