The Green Sheet Online Edition
September 24, 2018 • Issue 18:09:02
California goes European with the California Consumer Privacy Act
Then, long after all of our personal data took up residence 'in the cloud' and was subject to a number of high-profile breaches, all three groups realized something isn't right about the status quo. Consumers went from being the target of product marketing to their data being the product itself, which is now bought, sold and transferred more quickly and widely than any of us had imagined.
The new California Consumer Privacy Act, which goes into effect Jan. 1, 2020, begins a new chapter in the regulation of trade in non-public personal information in the United States. As the distinction between data and value vanishes, some states are putting more control of data in the hands of their citizens. Tension will always exist between individuals wishing to preserve bits of remaining privacy and businesses wishing to harvest that information for profit.
A number of federal laws have been leading guideposts for regulating the exercise of such rights, including the Financial Services Modernization Act (Gramm-Leach-Bliley Act), Federal Trade Commission Act and Fair Credit Reporting Act.
Most state privacy laws have centered on data breach notification. With the exception of Alabama and South Dakota, all U.S. states have data breach notification laws. Many state data breach notification laws have the same or similar requirements, essentially requiring the entity responsible for the breach to notify the persons concerned.
It is in the context of rudimentary privacy legislation that California enacted the California Consumer Privacy Act.
The new California law
The California Consumer Privacy Act grants certain rights to consumers and protects the use and sale of their personal information by businesses. The Act does not apply to all businesses; it applies only to businesses that meet one or more of the following criteria. The business:
- Has annual gross revenues in excess of $25 million
- Annually buys, receives, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households or devices
- Derives 50 percent or more of its annual revenue from selling consumers' personal information
The act mostly likely applies to businesses like Facebook, Amazon and Google, but not so much to smaller ISO operations. However, ISOs are not relieved of possible effects because many of them work alongside banks and processors that meet one or more of the three conditions under the act.
Here are some key rights the act creates for consumers:
- Right to know all data collected by a business: A consumer can demand to know which categories of information have been collected on them (for example, name, address, IP address, email address, bank account information).
- Right to say no to the sale of your information: Where the collector of the information wishes to resell that information, consumers will have a right to opt-out of that sale. This will be challenging for the many businesses that earn a living by trading in personal information. There are also substantial practical issues related to giving consumers this kind of opt-out, particularly for information that was collected prior to the Act.
- Right to delete your data: This emulates the European Union's 'right to be forgotten' but does not go as far as the EU Privacy Directive. Still, consumers will be able to demand that their data is deleted, which could interfere in businesses that depend on that data. The administrative burden of handling consumer data-deletion requests could also be massive.
- Mandated opt-in before sale of information pertaining to children under age of 16: This is important to protect information concerning minors, which constitutes a substantial amount of data, given that children are, ever more, "cloud-based."
- Right to know the categories of third parties with whom your data is shared: The value of this lies in the fact that most of us do not know how our information is being shared. Recently, I was at a bank branch helping my son open his first bank account. I was using the bank's Wi-Fi. While connected to the Wi-Fi and opening the account, I received an SMS advertisement promoting a back-to-school cell phone plan.
With my knowledge of Wi-Fi providers' data collection practices, I am all but certain the data collected on me in that short moment was enough to connect the dots between myself, my son, the account and our phone plans. If we were in California in 2020, we might have known that in advance – and even had the right to opt out.
If you are an ISO, and you sign up merchants for a large national processor with annual gross revenues of over $25 million, that processor is subject to the act and may turn to you for help with compliance.
It's hard to predict how processors and banks will become compliant with the law, but it will most likely be dealt with through additional disclosure by banks, processors and merchants. If the very stringent EU GDPR law is any indicator, compliance will not bring business to a halt in California. Instead, it will give work to lawyers who write privacy consent language and will create costs on the part of businesses obligated to cater to consumer rights under the act.
I do not expect the act to significantly impact ISOs.
In publishing The Green Sheet, neither the author nor the publisher is engaged in rendering legal, accounting or other professional services. If legal advice or other expert assistance is required, the services of a competent professional should be sought. For further information on this article, please contact Adam Atlas, Attorney at Law via email at email@example.com or by phone at 514-842-0886.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.