Beginning this month, large businesses around the country that operate in California must disclose to their Golden State customers who ask for it any data the companies collect about them. Those customers can then request that the information be deleted or demand that it not be sold. Companies that fail to comply could face significant fees and penalties.
“Companies put themselves at risk if they develop a wait-and-see attitude” to the law, said Jack Clabby, a cybersecurity and privacy attorney in Tampa.
The California Consumer Privacy Act is the first sweeping data privacy measure in the country. It is intended to give consumers more control over their personal data at a time when breaches are rampant and personal information is mined, sold and used in ways consumers have little say over. A recently proposed Florida bill seeks to take similar steps for consumer data privacy.
The law applies to for-profit companies that operate in California and meet one of three criteria: They have a gross annual revenue of at least $25 million; they buy, sell or share personal information for at least 50,000 California consumers; or they make at least half of their annual revenue by selling consumer data.
The companies that the law covers are mostly large private and public companies with significant reach. A report by California’s attorney general estimated that compliance will cost businesses roughly $55 billion initially, and the U.S. Department of Justice expects between 15,000 and 400,000 businesses to be affected nationwide.
Fines for failing to comply range from $2,500 to $7,500 per violation.
California’s law provides a broad umbrella for what constitutes personal information, going beyond the typical name and driver’s license number to include information such as Internet browser history, geolocation data and audio.
“All those kinds of information can be associated with a person and contain intensely private information,” said Jacob Snow, an attorney for the American Civil Liberties Union of Northern California, who focuses on technology.
One of the most significant aspects of the California law is a clause that gives the state’s consumers the right to sue over a data breach that meets certain criteria. If they are successful, companies who expose consumer data could be forced to pay between $100 and $750 per Californian affected by a breach and any other fees the court deems appropriate.
The regulation is widely considered to be the first in what will likely be a tide of similar state laws and potential federal legislation. That means companies will need to figure out how to comply with multiple laws and still do business effectively.
“You could end up with a federal floor and then still have different states that set different levels of privacy protections for consumers, even if those privacy levels conflict,” Clabby said. “It’s not what the regulation is, it’s having certainty so companies can plan their business activities.”
Some companies are expected to take a segmented approach for now, where they would have one division for California and one for the rest of the country, as many do to comply with Europe’s significantly more stringent data privacy laws.
Others, such as Microsoft, are complying with California’s law and offering the same protections to customers around the country.
©2020 the Tampa Bay Times. Distributed by Tribune Content Agency, LLC.
