by Ari Vared, Senior Director of Product, CyberPolicy
On June 28, 2018, California legislators passed one of the toughest data privacy laws in the country. Targeting tech companies like Amazon, Facebook, Google and Uber, the California Consumer Privacy Act restricts data harvesting practices by requiring businesses to disclose the type of data they collect about consumers. The law only applies to residents of California and allows applicable consumers to opt-out of having their information sold to third parties, including advertisers.
The California ruling shares several similarities with the EU’s General Data Protection Regulation (GDPR), which went into effect in May. Unlike the GDPR, however, this law doesn’t require that consumers opt-in to grant companies permission to collect their personal information. The law also doesn’t require that companies offer consumers the right to opt-out of data collection altogether, although it does allow consumers to request complete deletion of their personal data.
Tech Giants Aren’t the Only Targets
While initially designed to focus on curbing how tech giants handle data, any company that does business online and collects personal information will be impacted by the California ruling, even small and medium businesses. Furthermore, companies will face steep fines if they fail to comply. For instance, under the law, consumers have the right to sue companies for up to $750 for every instance of a data breach violation, and state attorneys general can sue companies for intentional violations of privacy at up to $7,500 each.
With the California law slated to go into effect on January 1, 2020, companies have just over one year to prepare. Below are four key considerations small and medium businesses should prioritize during their preparation:
- ‘Personal data’ is loosely defined.
According to the ruling, any company that grosses at least $25 million annually, shares personal information of 50,000 or more consumers, households or devices for commercial purposes, or makes more than 50 percent of its revenue from selling data is subject to the law. The definition of ‘personal information’ is loosely defined, however, so it’s critical that small and medium businesses look closely at the data they’re collecting to determine if they’re liable, even if they aren’t meeting the financial thresholds of the law.
- Operational costs will increase.
To comply with the law, companies — especially emerging ones — will likely need to incorporate new infrastructure in order to handle a new slew of consumer requests. Budget ahead of time for any such changes and streamline the updated user experiences as much as possible. Also, make sure to allocate costs for seemingly simple website updates. For example, the law requires a “clear and conspicuous link” on company homepages that says, “Do Not Sell My Personal Information.” Accommodating this requirement in a seamless manner may require some thoughtful design work.
- Financial incentives are fair game.
If a consumer provides opt-in consent, companies can offer them certain financial incentives for the collection, sale, and deletion of their personal information. This will likely be a popular perk amongst consumers (and remember, consumers, can still revoke their opt-in consent at any time), however for businesses, providing such incentives could prove difficult, especially if they’re smaller entities with less capital and a smaller customer base.
- Resolution turnaround time is 30 days.
For both consumer and state lawsuits brought on by any data privacy violations, companies have just 30 days to resolve the problem at hand. Small and medium businesses should consider adopting cybersecurity insurance to help quickly cover the immediate expenses associated with a violation, such as a cost to retain legal services. Look for policies that provide a breach management coach and cover the cost of public relations expertise, as recovering a company’s reputation post-lawsuit can be very expensive and challenging.
Nationwide Privacy Laws Could Be Our Future
There will likely be further refinements to this law over the coming years, and it’s worth noting that the ruling has set the stage for state legislatures across the country to adopt similar laws in the future, meaning companies could soon have to change their digital business practices nationwide. Start preparing now for the looming 2020 California deadline, and pay particular attention to requirements that will be more difficult for small and medium businesses to incorporate, as this pioneering new law stands to affect any company, no matter its size, location or resources.
To read the California Consumer Privacy Act in its entirety, visit: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375
About the Author
Ari Vared is the Senior Director of Product at San Francisco-based cyber policy, providing small businesses with the cybersecurity advice, tools, and insights they need to protect their data, operations, and reputation. A wholly-owned subsidiary of CoverHound Inc., the cyber policy is the world’s first and only comparison site for cyber insurance, helping companies Plan, Prevent, and Insure against today’s modern threats. Ari has spent over a decade helping small businesses sharpen their product, strategy, and operations to increase growth and partnership opportunities. His passion for SMBs and expertise in cybersecurity and cyber insurance enable him to provide comprehensive insights for SMBs who are often underserved and most vulnerable to data breaches and cyber attacks.