By Adam Atlas
Attorney at Law
Then, long after all of our personal data took up residence 'in the cloud' and was subject to a number of high-profile breaches, all three groups realized something isn't right about the status quo. Consumers went from being the target of product marketing to their data being the product itself, which is now bought, sold and transferred more quickly and widely than any of us had imagined.
The new California Consumer Privacy Act, which goes into effect Jan. 1, 2020, begins a new chapter in the regulation of trade in non-public personal information in the United States. As the distinction between data and value vanishes, some states are putting more control of data in the hands of their citizens. Tension will always exist between individuals wishing to preserve bits of remaining privacy and businesses wishing to harvest that information for profit.
A number of federal laws have been leading guideposts for regulating the exercise of such rights, including the Financial Services Modernization Act (Gramm-Leach-Bliley Act), Federal Trade Commission Act and Fair Credit Reporting Act.
Most state privacy laws have centered on data breach notification. With the exception of Alabama and South Dakota, all U.S. states have data breach notification laws. Many state data breach notification laws have the same or similar requirements, essentially requiring the entity responsible for the breach to notify the persons concerned.
It is in the context of rudimentary privacy legislation that California enacted the California Consumer Privacy Act.
The California Consumer Privacy Act grants certain rights to consumers and protects the use and sale of their personal information by businesses. The Act does not apply to all businesses; it applies only to businesses that meet one or more of the following criteria. The business:
The act mostly likely applies to businesses like Facebook, Amazon and Google, but not so much to smaller ISO operations. However, ISOs are not relieved of possible effects because many of them work alongside banks and processors that meet one or more of the three conditions under the act.
Here are some key rights the act creates for consumers:
With my knowledge of Wi-Fi providers' data collection practices, I am all but certain the data collected on me in that short moment was enough to connect the dots between myself, my son, the account and our phone plans. If we were in California in 2020, we might have known that in advance – and even had the right to opt out.
If you are an ISO, and you sign up merchants for a large national processor with annual gross revenues of over $25 million, that processor is subject to the act and may turn to you for help with compliance.
It's hard to predict how processors and banks will become compliant with the law, but it will most likely be dealt with through additional disclosure by banks, processors and merchants. If the very stringent EU GDPR law is any indicator, compliance will not bring business to a halt in California. Instead, it will give work to lawyers who write privacy consent language and will create costs on the part of businesses obligated to cater to consumer rights under the act.
I do not expect the act to significantly impact ISOs.
In publishing The Green Sheet, neither the author nor the publisher is engaged in rendering legal, accounting or other professional services. If legal advice or other expert assistance is required, the services of a competent professional should be sought. For further information on this article, please contact Adam Atlas, Attorney at Law via email at firstname.lastname@example.org or by phone at 514-842-0886.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next