Gov. Jerry Brown signed the California Consumer Privacy Act of 2018 last week, hours after its unanimous approval by the State Assembly and Senate. When it takes effect, it will be the toughest data privacy law in the United States, with many similar provisions as the European Union’s General Data Privacy Regulation (GDPR).
(PHOTO: California Republic Flag, by Martin Jambon, is licensed under CC BY 2.0, from flickr / cropped)
The law, which takes effect in 2020, gives consumers sweeping control over their personal data. It grants them the right to know what information companies like Facebook and Google are collecting, why they are collecting it, and who they are sharing it with. Consumers will also have the option of barring tech companies from selling their data, and children under 16 must opt into allowing them to even collect their information at all.
Among the provisions of the law are the following protections for consumers:
- Right to know all data collected by a business on you.
- Right to say “no” to the sale of your information.
- Right to ask online service providers to delete your data.
- Right to be informed of what categories of data will be collected about you prior to its collection, and to be informed of any changes to this collection.
- Mandated opt-in before sale of children’s information (under the age of 16).
- Right to know the categories of third parties with whom your data is shared.
- Right to know the categories of sources of information from whom your data was acquired.
- Right to know the business or commercial purpose of collecting your information.
- Enforcement by the Attorney General of the State of California.
- Private right of action when companies breach your data, to make sure these companies keep your information safe.
While many companies have a head start on complying with the law, since they have worked to overhaul data privacy and governance practices in light of the EU’s GDPR, companies say they still have some work to do to be compliant. California’s new law might give them more incentive to update data gathering practices and should be added to the list of what internal auditors are checking for when conducting a data privacy or data governance audit.