Podcast: California's New Consumer Privacy Act

In this episode of Defrag This, we discuss the repercussions the new California Consumer Privacy Act will have on US data privacy laws and how and if it relates to the GDPR.

On June 28th California passed the California Consumer Privacy Act. The EU had already enacted GDPR laws that took effect May 25th.  The US is very far behind, but it seems that California’s new laws, set to take effect in 2020, are just the beginning of a bigger battle here in the US over how companies can use and store personal data. These new laws will significantly affect the way companies conduct business and how individuals exercise their rights to personal data.

Can Corporate America Be Trusted With Private Data?

As it stands right now, every state could potentially have its own set of laws governing how companies that collect data will need to handle the personal information of its citizens. And while some are hopeful that this will become a federally regulated issue, there is no indication that this kind of national move will happen in the foreseeable future.

However, with companies like Facebook and Equifax coming under heat for their mismanagement of millions of people’s personal data, it seems this moment was inexorable.

While it may be good news for individuals, there are many businesses crying foul.  Google, Amazon, Microsoft, and Uber - among others - are already lobbying against these laws, which could bring about huge changes for these companies. Some of them claim that it’s how the California Privacy Law was enacted. The law is vague and may do more damage than good. Others on the other hand of the aisle think that this is just a starting point for future legislation.

Related: A Year Later, Equifax Finally Reveals Full Extent Of Breach

In any case, the question of what to do from here has a lot of kinks to work out, but it’s an understatement that guarding individual’s personal information is important. To what extent do we own our personal information? How liable are companies for their role in the collection and safeguarding of this information?

Safeguarding personal information is a need that grows alongside the ability of others to collect it.  The good news is that, practically speaking, educating yourself may provide less fear of online security and actually provide the boost you need to remain diligent with your info.

Should There be a Federal Data Privacy Law?

Businesses have already been dealing with state laws that deal with personal information, particularly online privacy and specifically protecting minors. While it poses some new difficulty for any business specializing in collecting personal data, particularly given the prospect of multi-state regulation, what does it mean for you, the individual?

You may not live in California, but this law will set the precedent for other state or even federal regulations.  Even in its infancy, it’s worth knowing how it will affect both individuals and businesses in terms of how personal data is handled.

Here are some of the rights granted to California residents as posted on CAPrivacy:

• The right to know all the data a business collected on you;
• The right to say no to the sale of your information;
• The right to delete your data;
• The right to be informed of what categories of data will be collected about you prior to its collection, and to be informed of any changes to this collection;
• Mandated opt-in before sale of children’s information (under the age of 16);
• The right to know the categories of third parties with whom your data is shared;
• The right to know the categories of sources of information from whom your data was acquired;
• The right to know the business or commercial purpose of collecting your information;
• Enforcement by the Attorney General of the State of California;
• The private right of action when companies breach your data, to make sure these companies keep your information safe.

Business Response to California Consumer Privacy Act

It’s important to make the distinction that this law in its current incarnation sets a precedent for individuals’ personal data, but does not actually do much to protect that data yet. Even though this is all in its infancy, here are some things you can do to help the process:

Learn and be aware.  Understanding what data you may be floating out into the online abyss and what can be done with it - legally and illegally - goes a long way in protecting your information.  You are still the first line of defense and should keep a wary eye on what is sent out. 

Be proactive.  New laws potentially give you the right to administer your personal information.  In order to take advantage of this you must exercise this right.  Knowing what rights legislation grants you and how to make use of it will be important over the next few years.

Read.  It’s tempting to completely ignore the “check this box if you agree to the terms and conditions”.  We’ve all done it for sake of time.  However, this is one way businesses try to be accountable to individuals. 

Be realistic.  This will not happen overnight.  Expect change to come dutifully but slowly.  And above all else, we should remember that there are many companies out there who simply want to serve us better and who handle our information with care.

Ultimately, change is both far off and right here.  We live in an age still desperate to catch up with the development of online activity over the past two decades.  With this comes great opportunity and potential danger. Knowing who to trust will be a key factor when deciding with whom you’ll do business.