GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View flipbook of this issue

Care to Share?

Table of Contents

Lead Story

Cryptocurrency appeal growing among merchants, processors

Patti Murphy


Industry Update

News Briefs


Terminal wars revisited

Dale S. Laszig
DSL Direct LLC

Margins matter in winemaking and acquiring

Brandes Elitch
CrossCheck Inc.


Street SmartsSM:
How effective is third-party telemarketing?

Steve Norell
US Merchant Services Inc.

California goes European with the California Consumer Privacy Act

Adam Atlas
Attorney at Law

Why you must grasp the new rules of small business marketing

Barry Davis

Company Profile

MainStream Merchant Services Inc.

New Products

Instant merchant settlement for ISOs, agents, resellers

Instant Merchant Settlement
paycosmos Solution platform provider: linked2pay


Journaling for the MLS


Letter from the editors

Readers Speak: Prevent ATM jackpotting

Resource Guide


A Bigger Thing

The Green Sheet Online Edition

September 24, 2018  •  Issue 18:09:02

previous next

California goes European with the California Consumer Privacy Act

By Adam Atlas

As the leader of the free world, the United States has long championed individual rights, including the right of a business to collect non-public personal information and use it pursuant to a published privacy policy. For many years, businesses, consumers and legislators found common ground where each had a measure of protection for their interests while not stifling entrepreneurship.

Then, long after all of our personal data took up residence 'in the cloud' and was subject to a number of high-profile breaches, all three groups realized something isn't right about the status quo. Consumers went from being the target of product marketing to their data being the product itself, which is now bought, sold and transferred more quickly and widely than any of us had imagined.

The new California Consumer Privacy Act, which goes into effect Jan. 1, 2020, begins a new chapter in the regulation of trade in non-public personal information in the United States. As the distinction between data and value vanishes, some states are putting more control of data in the hands of their citizens. Tension will always exist between individuals wishing to preserve bits of remaining privacy and businesses wishing to harvest that information for profit.


A number of federal laws have been leading guideposts for regulating the exercise of such rights, including the Financial Services Modernization Act (Gramm-Leach-Bliley Act), Federal Trade Commission Act and Fair Credit Reporting Act.

Federal law tends to focus on holding a business responsible to disclose how information will be collected, stored, used and disclosed – usually in a privacy policy – and requiring businesses to keep the promises they make in their privacy policies and related disclosure. Federal law also raises the bar on disclosures and consents related to specific types of information, such as financial information or medical records.

Most state privacy laws have centered on data breach notification. With the exception of Alabama and South Dakota, all U.S. states have data breach notification laws. Many state data breach notification laws have the same or similar requirements, essentially requiring the entity responsible for the breach to notify the persons concerned.

It is in the context of rudimentary privacy legislation that California enacted the California Consumer Privacy Act.

The new California law

The California Consumer Privacy Act grants certain rights to consumers and protects the use and sale of their personal information by businesses. The Act does not apply to all businesses; it applies only to businesses that meet one or more of the following criteria. The business:

The act mostly likely applies to businesses like Facebook, Amazon and Google, but not so much to smaller ISO operations. However, ISOs are not relieved of possible effects because many of them work alongside banks and processors that meet one or more of the three conditions under the act.

Here are some key rights the act creates for consumers:

ISO take-aways

If you are an ISO, and you sign up merchants for a large national processor with annual gross revenues of over $25 million, that processor is subject to the act and may turn to you for help with compliance.

It's hard to predict how processors and banks will become compliant with the law, but it will most likely be dealt with through additional disclosure by banks, processors and merchants. If the very stringent EU GDPR law is any indicator, compliance will not bring business to a halt in California. Instead, it will give work to lawyers who write privacy consent language and will create costs on the part of businesses obligated to cater to consumer rights under the act.

I do not expect the act to significantly impact ISOs.

In publishing The Green Sheet, neither the author nor the publisher is engaged in rendering legal, accounting or other professional services. If legal advice or other expert assistance is required, the services of a competent professional should be sought. For further information on this article, please contact Adam Atlas, Attorney at Law via email at or by phone at 514-842-0886.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios