California businesses face fines for lax consumer data privacy as of 2020
January means a happy new year for most of us, but maybe not for companies that collect consumer data in California.
As of Jan. 1, 2020, the California Consumer Privacy Act, which former Gov. Jerry Brown signed into law in June 2018, takes effect.
Among other “rights” the law establishes, it requires companies that collect consumers’ personal data to disclose to them what and what kind of personal information a company collects on them. It also allows consumers to demand a company delete personal information it holds on them.
The law will target a particular subset of companies, many of them in the finance and technology sectors, that make significant profits from collecting and selling consumer data.
The law applies to businesses with annual gross revenues in excess of $25 million and that sell or share for commercial purposes the personal information of 50,000 or more consumers, households or devices.
A businesses must also derive 50% or more of its annual revenues from selling consumers’ personal information to be effected.
Businesses also must disclose to consumers if they decide to sell personal data. Companies that do sell consumer data to third parties can also be queried by consumers on what data they are selling and to whom and must stop when told to by a consumer.
Lawmakers fast tracked the law, also known as Assembly Bill 375, through the legislature with the understanding changes could be made to it before it took effect this coming January. And now lobbyists for technology companies are looking to add amendments to the law.
According to one of the law’s authors, Assemblyman Ed Chau, D-Monterey Park, AB 375 responds to data breaches that exposed millions of people’s personal information, including those recently experienced by Target, Equifax, Cambridge Analytica and others.
The bill as it stands will have significant impacts on qualifying companies, particularly technology companies, that cull and sell customer data and companies need to be ahead of the curve come the new year, according Michael Garibaldi, a CPA and the managing director of forensic and litigation consulting at FTI Consulting in San Francisco.
Part of Garibaldi’s work includes working with companies to audit and map what consumer data they have and where it is stored, work that is particularly important in light of the new law.
“You need to know exactly what information you collect from your customers,” Garibaldi said. He noted that includes companies knowing where that information is stored, how they are safeguarding it, and if there are appropriate controls within a company for its dissemination.
“Companies should ensure that any vendors they use have appropriate data safeguards in place,” as well, Garibaldi said, right down to companies like his that do audits and access sensitive information.
“If the company is negligent and they do not have appropriate safeguards in place and there is a breach and California consumer information is gathered during that breach, the California attorney general can impose a fine of $7,500 per violation per customer,” he added.
But technology companies that collect vast troves of consumer data for profit are not waiting until New Year’s Day to see how things shake out.
A representative from the Internet Association, which represents tech titans like Google, Amazon and Uber among others, said the law needs more clarity before it goes into effect, and two bills proposing to amend it would do just that.
“We think it’s critical that everyone has a common understanding of what a consumer is,” said Kevin McKinley, director of California government affairs at the association. He said the definition of consumers should not include employees of a company, a carve out outlined in a current bill, AB 25, also introduced by Chau. The employee provision would end on Jan. 1, 2021.
Another bill, AB 873 introduced by Assemblywoman Jacqui Irwin, D-Thousand Oaks, would clarify what kinds of information companies are required to provide on demand. “It’s important that personal information is defined in a way where everyone understands and is framed in terms of what is reasonably linkable to a person.”
Companies may hold information that is clearly linked to someone, like their social security number, or information that is not necessarily linkable to them.
An example could be the isolated IP address — numeric designation for an internet location — of a computer a consumer accessed a company website from.
In theory under the law a company could be required to do the legwork of linking that stand-alone information to a consumer, a potentially time-consuming and onerous process.
Staff Writer Chase DiFeliciantonio covers technology, banking, law, accounting, and the cannabis industry. Reach him at email@example.com or 707-521-4257.