Email
Password
Remember meForgot password?
    Log in with Twitter

article imageWhat the California Consumer Privacy Act means for business: Q&A Special

By Tim Sandle     Jul 22, 2018 in Business
There are some big implications arising from the recently-passed California Consumer Privacy Act, AB 375. Although they may not realize it yet, every technology and Fortune 500 company in America is going to be affected. A leading analyst explains why.
The California Consumer Privacy Act, AB 375 goes into effect in 18 months and there are parallels with the recent European The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) (see Digital Journal's profile "European business needs to get smart about data protection").
To discover more about the new Act and its implications for businesses and consumers, Digital Journal spoke with with privacy data expert John Tsopanis of 1touch.io.
Digital Journal: What’s the background behind the new privacy legislation?
John Tsopanis: The privacy legislation is a response to mass data misuse in the United States. The practices of data scraping/harvesting, psychological profiling, and microtargeting have been common practice for digital marketing departments for a number of years and the implications of those practices are starting to be felt by our citizens and democratic institutions across the world. These concerns have developed alongside a continuous stream of high profile information breaches such as Ashley Madison, Target and Equifax which have raised the importance of securing personal information in the eyes of American citizens.
This was made clear by Cambridge Analytica who used commonly used digital marketing techniques to psychologically profile 87 million US and UK citizens and microtarget them with disinformation campaigns to influence elections on both sides of the Atlantic. The landscape that allowed this to happen, the single largest enabler, was the mass proliferation of personal information to third parties with no conditions or due diligence conducted on its usage in Silicon Valley, and the subsequent ability of Californian technology platforms to leverage that information, providing access to that citizen’s screen to the highest corporate or political bidder.
The outcome of the Cambridge Analytica investigation is the death knell of current data privacy practices in America and this law needs to be understood in that context.
DJ: Who was behind drafting the law?
Tsopanis: Alastair Mactaggart, Campaign Chair, Californians for Consumer Privacy, drew it up. The California Legislature adopted and the governor signed the bill on June 28, 2018. In recitals, the legislature acknowledges some of the many existing data privacy laws that California has already enacted over the years. California has led the United States and often the world in codifying privacy protections, enacting the first laws requiring notifications of data security breaches (2002) and website privacy polices (2004).
DJ: What are the main implications for businesses?
Tsopanis: Businesses will have to fulfill the following rights for California residents:
Right to know all data collected by a business on you.
Right to say NO to the sale of your information.
Right to DELETE your data.
Right to be informed of what categories of data will be collected about you prior to its collection, and to be informed of any changes to this collection.
Mandated opt-in before sale of children’s information (under the age of 16).
Right to know the categories of third parties with whom your data is shared.
Right to know the categories of sources of information from whom your data was acquired.
Right to know the business or commercial purpose of collecting your information.
Enforcement by the Attorney General of the State of California.
Private right of action when companies breach your data, to make sure these companies keep your information safe.
To fulfill these rights, businesses across the United States will have to identify all of the categories of personal data that they process on Californian residents, and be able to provide them a full report, within 45 days of request, of what categories of personal information they process; why they process it; and who they sell it or share it with.
DJ: Can you give an example?
Tsopanis: Wendy’s has 6,500 locations dispersed across the country, with 37,000 employees and tens of millions of customers a year. They have a “My Wendy’s” app which you can log into with your Facebook or Google account (which they absorb personal information from) that has geolocation-enabled features for their customers. There’s Wi-Fi in every store that collects cookies on each consumer, and tracking technologies on their website. What’s more, in their privacy policy they say, “We may on occasion combine information from outside sources to customize your experience on the site,” which opens up a new tranche of data that could be coming from anywhere. From this, Wendy’s could easily accumulate upwards of 30 or 40 data points on each customer.
The technical capabilities needed to identify, extract, and centralize all of the different types of personal information across all of their different services, databases, shared drives and applications for each California resident, for each request, is significant.
DJ: What do businesses need to do to keep on the right side of the law?
Tsopanis: American companies must be able to satisfy California residents’ data access requests relating to data usage in the preceding 12 months. So although the law comes into effect on 1st January, 2020, organizations must start tracking how Californians’ personal information is being processed from 1st January 2019 (only six months from now) in order to be able to satisfy the data access request a year later. Having worked with GDPR in Europe, I can tell you that this is not a lot of time to identify the personal information you process, so organizations must start preparing now.
DJ: What will the impact be on consumers?
Tsopanis: The same as outlined earlier, in essence: the right to know all data collected by a business on you; the right to say no to the sale of your information; and the right to delete your data. In addition, there's right to be informed of what categories of data will be collected about you prior to its collection, and to be informed of any changes to this collection; plus mandated opt-in before sale of children’s information (under the age of 16); and the right to know the categories of third parties with whom your data is shared.
There's also the right to know the categories of sources of information from whom your data was acquired; the right to know the business or commercial purpose of collecting your information. California consumers will be empowered to protect the usage of their personal information and hold companies liable for any breaches.
In a companion article, John Tsopanis looks at whether the California legislation will be rolled out across the U.S. and what the wider significance is. See: "Why California's data privacy law is set for U.S. roll out: Q&A."
More about California Consumer Privacy Act, California, Privacy
More news from
Latest News
Top News