Preparing for California’s New Data Privacy Act: Q&A with ASG’s Rob Perry
Following closely on the heels of the General Data Protection Regulation (GDPR) in the European Union, state legislators in California recently passed the California Consumer Privacy Act of 2018. Also known as CCPA and AB 375, the new privacy law will give individuals more control over the information that businesses collect about them and impose new penalties on companies that fail to comply.
With the new regulation set to go into effect on Jan. 1, 2020, Rob Perry, VP of product marketing at information management specialist ASG Technologies, reflected on what organizations need to understand about their data to limit risk of fines and help ensure compliance without requiring significant time investments from employees.
What does California’s new data privacy law involve?
Driven by ballot initiative, in many ways it came up rather quickly. It has similarities with GDPR but also differences. It is written much more as a consumer protection law than GDPR.
How so?
It is similar in the requirement that companies obtain consent from individuals to collect and use their data and in the need for companies to disclose how the data will be used. However, there are specific consumer protections. For example, the law says that if someone does not opt in, the company has to treat them in the same manner as someone who has opted in. There is also a provision for compensating people to use their data in the California law. These are things that GDPR did not deal with. It is also quite prescriptive in terms of the need to identify what consumers are agreeing to as far as the use of their data. GDPR just says that you must explain it in plain language and make it understandable. The California law goes further into detail on exact language. It also expands the definition of personal data to include metadata and the categories of data that are being collected that can be used to identify individuals. The goals of each are to protect individuals’ ownership of their personal data, but they have each taken a different approach to it.
Are issues such as access, erasure, and portability, which are prominent in GDPR, also included in the California law?
Access and erasure are included, but there is nothing specific about portability. And, of course, just as with GDPR, there are conditions that apply. For example, you can’t ask someone to whom you owe money to forget about you.
What are the penalties for non-compliance with this new law?
In the case of CCPA, non-compliance fines are not that huge in initial cases. It is a $7,500 penalty for the initial violation—although that could be interpreted to be per person. So the penalty is much lower than GDPR. But, in the case of data breaches, individuals can also petition for damages. Payments could be anywhere from $100 to $750 for an individual in each case of a data breach. An individual would have to file a lawsuit, the Attorney General would have to certify it, and then it would be adjudicated in some way.