California Consumer Privacy Act: What You Should Know

GDPR

Even before May 25, 2018, the European Union’s General Data Privacy Regulation (GDPR) forced U.S. companies to take a serious look at current processes related to privacy and data protection. Following an uptick in security and data breaches, the imminent threat of heavy fines for non-compliant organizations with E.U. shareholders loomed.

Early in 2018, David Becker, General Counsel, and Chief Risk and Compliance Officer at EQ, provided a framework for GDPR’s potential impact on shareholder services.

California Consumer Privacy Act of 2018

The introduction of GDPR sent shockwaves across the U.S. as a direct result of the European government’s decision to intervene in the digital security space.

In March 2017, under the advisement of the Department of Financial Services, we saw New York State enact the Cybersecurity Regulation (NYCRR Section 500) – the first of its kind. More recently in the State of California, the issue of consumer privacy quickly transformed from a hot ticket initiative into an act that was drafted, unanimously passed and signed into law in less than a week. Although the California Consumer Privacy Act (CCPA) had a tremendous amount of consumer support, the requirements under the act remain inconsistent and unclear.

Effective Jan. 1, 2020, this act will provide California residents the right to: know, opt out, delete and the right to equal pricing and service, similar to the provisions outlined in GDPR.

1. The right to know
   As a citizen of California, you have the right to receive an affirmative and active disclosure from the holder or business what personal information the business has collected.
2. The right to opt-out (opposite of GDPR)
   Consumers can say they do not want their personal information shared or sold to a third party. It is the consumer’s responsibility to communicate those expectations with the holder. It is necessary for the business to provide a clear and conspicuous “do not sell my personal information” link on its website. This link should redirect consumers to the privacy policy or notice, where they can officially opt out.
3. The right to delete
   A consumer can elect to have his or her information removed from a business’s server. There are exceptions that EQ, and our clients by extension, have a legal obligation to access specific information as it relates to:

• Completing a transaction
• Detecting and maintaining data security
• Debugging to identify and repair errors
• Exercising a right provided by law
• Internal use aligned with consumer expectations based on the relationship of the business
• Use in a lawful manner

4. The right to equal pricing and service
   Under the CDPA, a consumer who opts out cannot be charged more than a consumer who gives the holder the right to sell or share personal information. This act also allows consumers the private right of action if there is a data breach or if their data is compromised in the event of a breach.  There are exceptions related to complying with federal, state or local law, law enforcement, regulatory inquiries and investigations; cooperating with law enforcement and exercising or defending legal action.

“The implications of the CDPA are much broader than the bounds of California,” says Becker. “If a business has any information – as simple as a name names or address – you are considered to be touching the data of a California consumer and will have to make arrangements.”

Under David’s expertise, EQ will work diligently in order to ensure regulatory compliance as these laws continue to change. Stay up to date on additional information regarding regulatory insights and developments by following EQ’s Views page.