Sacramento, California, USA: A new data privacy law in California will give consumers the right to obtain data collected about them, the right to request deletion of the data, and the right to direct a business not to sell the information to third parties. The new privacy law was opposed by Facebook, Google and major phone carriers.
California Gov. Jerry Brown signed the bill into law on Thursday, one week after it was introduced.
California lawmakers earlier passed the landmark privacy bill that restricts the data-harvesting practices of technology companies like Facebook, Google and Amazon and gives consumers more control over their personal information.
The California Consumer Privacy Act is designed to provide new protections to the state’s 40 million residents in the wake of major privacy breaches including the Cambridge Analytica scandal.
The new rules give Californians the right to see what information is being collected about them and to request that data be deleted, to find out whether their information is being sold to third parties including advertisers and to request that they stop doing so.
The bill requires companies to disclose personal data collected when a consumer requests it, up to two times a year, and to delete and stop selling the personal information to third parties upon request.
It also prevents businesses from selling personal information about minors to third parties, unless the parent of a minor less than 13 affirmatively authorizes the sale, or the minor between the ages of 13 and 16 opts in to the sale.
Businesses can’t discriminate against consumers who exercise their rights under the law by denying them service, charging them different prices or providing a different level of quality. But businesses can offer financial incentives for collecting and selling information, and may offer differing prices that are directly related “to the value provided to the consumer by the consumer’s data.”)
A consumer whose data is hacked is entitled to recover statutory damages of up to $750 in a civil suit when companies fail maintain reasonable security procedures—if certain steps are followed. Consumers can’t sue unless they first notify the business and the state attorney general, and the business doesn’t correct the problem in 30 days and the state attorney general does not bar the suit.
Intentional violations can bring civil penalties of up to $7,500 per violation.
The bill affects companies with California customers that gross at least $25 million a year, or interact with information to 50,000 or more people, or make more than half their revenue from selling personal information.
Consumer protection groups celebrated the passing of the bill as a major victory.
“The Consumer Privacy Act will allow consumers to take control of and make informed choices about their own data, control that fosters a healthy relationship to technology and overall digital well-being,” said Elizabeth Galicia, from Common Sense Media, which co-sponsored the bill.
“Kids are the most tracked generation ever. Their personal information, activities and networks are exposed and often for sale from birth. This law is a strong first step in protecting kids and all consumers,” she added.
“This bill will be the strongest of its kind in the nation and enact safeguards we need in the 21st century,” said Senator Bill Dodd, one of the bill’s co-authors, ahead of the vote on Thursday. “Big data is big business. It’s time we regulate it appropriately and hold bad actors accountable.”
The bill is slated to come into effect on 1 January 2020. Companies could be penalised up to US$7,500 for each violation. The rules will be enforced by California’s attorney general.
Facebook, Google, Comcast, AT&T and Verizon all donated US$200,000 to create a US$1 million fund to oppose the California Consumer Privacy Act, and they are likely to spend the coming months lobbying to water down the law.
“While this law adds a significant new layer of privacy protections for California consumers, even its authors have acknowledged it is far from perfect and will need revisions in the months ahead as its consequences and workability are better understood,” said Linda Moore, president and CEO of the lobby group TechNet.
The law was introduced late last week by the state senators Rob Hertzberg and Bill Dodd and the assembly member Ed Chau in a rush to pre-empt a stricter privacy ballot initiative that had gathered more than 600,000 signatures from Californians. The group behind the ballot initiative, Californians for Consumer Privacy, agreed to withdraw the ballot if the bill was passed this week.
The Internet Association, a technology trade group whose members include Amazon, Facebook, Google and Microsoft, expressed concern over the speed with which the law was passed.
“Data regulation policy is complex and impacts every sector of the economy, including the internet industry. That makes the lack of public discussion and process surrounding this far-reaching bill even more concerning,” said Robert Callahan, vice-president of state government affairs.
“It is critical going forward that policymakers work to correct the inevitable, negative policy and compliance ramifications this last-minute deal will create for California’s consumers and businesses alike.”
The passing of the law comes the month after Europe introduced similar sweeping privacy protections under the General Data Protection Regulation (GDPR).
GDPR gives individuals the right to demand companies reveal or delete the personal data they hold and regulators can work together across Europe for the first time, rather than launching separate actions in each country. It also introduces harsh penalties, with a maximum fine of €€20 million or 4 per cent of the company’s global turnover.
Business Data Protection Tips for Data Privacy
Here are some suggestions for securing your systems and keeping the information of customers and clients private:
- If you collect it, protect it. Follow reasonable security measures to ensure that customers’ and employees’ personal information is protected from inappropriate and unauthorized access.
- Know what you are protecting. Be aware of all the personal information you have, where you are storing it, how you are using it and who has access to it. Understand the kind of assets you have and why a hacker might pursue them. “You cannot protect what you don’t know about,” Sundaresan said.
- Don’t underestimate the threat. In one survey conducted by the Alliance, 85 percent of small business owners believe larger enterprises are more targeted than they are. In reality, there have been cases where small businesses have lost hundreds of thousands of dollars to cybercriminals.
- Don’t collect what you don’t need. The more valuable information you have, the bigger a target you might be. Avoid using social security numbers or other personal information for customer identification. Opt instead for log in identification and passwords. More layers of identification help keep attackers from being able to simulate users. Consider deleting personal information that you don’t really need.
- Keep a clean machine. Having the latest security software, web browser and operating system are the best defenses against viruses, malware and other online threats. Many software programs will automatically connect and update to defend against known risks. Turn on automatic updates if that’s an available option.
- Use multiple layers of security. Spam filters will weed out malware and phishing scams — many of which are aimed directly at businesses — keeping your email safer and easier to use. Employ a firewall to keep criminals out and sensitive data in.
- Scan all new devices. Be sure to scan all USB and other devices before they are attached to your network.
- Educate employees. Employees are often the handlers of customer data. They therefore need to be kept up-to-date on how to protect that information to make sure it does not accidentally land in the wrong hands. They should be educated about the newest fraud schemes and urged to employ best practices such as not responding to or opening attachments or clicking suspicious links in unsolicited email messages.