Understanding the California Consumer Privacy Act

AB 375, entitled the California Consumer Privacy Act, was approved by the California State Governor on June 28, 2018, and goes into effect on January 1, 2020. The law applies to any business that meets one of these criteria and does business in the State of California:

  • Revenue over $25 million;
  • Buys or sells the personal information of 50,000 or more consumers; and,
  • Derives 50 percent or more of its annual revenue from selling consumers’ personal information.

AB 375, entitled the California Consumer Privacy Act, suggests the need for major changes to corporate operating procedures, applications and software systems. It is interesting to note that the legislation itself specifically speaks to the “personal data misused by a data mining firm called Cambridge Analytica.”

Data protection rights are very significant and support the need to minimize potential damages due to cyber attack, whether from malicious insiders or external parties. The law states that any “consumer whose non-encrypted or non-redacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action.” The penalties can be actual damages, injunctive or declaratory relief, or any relief the court deems proper.

In any case, the new law directs many rights for Californians to include the right of Californians to know what personal information is being collected about them. The right of Californians to know whether their personal information is sold or disclosed and to whom and the categories of personal information and more.

Californians can now say no to the sale of personal information. They can also access their personal information, upon request, and request that any business delete any personal information about the consumer that the business has collected. Consumers can also direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information as a right to “opt-out.”

Personal information under this law is very broad and includes real name, alias, postal address, account name, social security number, driver’s license number, passport number and other similar identifiers. It specifically includes many other categories of data such as biometrics (specifically including DNA data), internet search and browses data (anything used for digital marketing), geolocation data, employment information and much more.

The implications of AB 375 are very significant especially given the 18-month window to get ready. Other states will introduce likely similar but different legislation. The bar on the penalties associated with protecting consumer data is now higher. It is incumbent on business to bring in the necessary cyber defense, encryption, 2-factor authentication and more to minimize the risk of a successful breach and the resulting penalties. Consider that one breach may rapidly trigger penalties associated with more than one compliance regulation.

To find out more, and how we can help, contact us directly at info@cryptonitenxt.com.