Consumer privacy law in California to take effect

On Jan. 1, 2020, the California Consumer Privacy Act will require companies to protect user data, even if those users live outside the state. 

Jacinta Keefe/APRA AMCOS/AP
Josh Simons, owner of an app for musicians, works in a studio in this undated photo. His company expects to be one of thousands of businesses subject to the California Consumer Privacy Act, which gives consumers control over personal information the companies collect.

If the thousands of Californians who use Josh Simons' app for musicians demand next month that Vampr delete their personal information, Mr. Simons will be ready to comply.

The social network company expects to be one of many businesses nationwide subject to the California Consumer Privacy Act, a law that takes effect Jan. 1 and gives consumers control over the personal information companies collect, store, and often share with other enterprises. Mr. Simons, who already had a user privacy policy in place before the act became law last year, has retooled the policy and the Vampr app.

"We have half a million users around the world," Mr. Simons says. "It's definitely something we have to keep in mind."

Companies across the country need to be aware of the law's complex requirements even if they don't deal directly with consumers. It covers companies that conduct business in California, including out-of-state companies that sell products or merchandise to California residents. The law can also cover companies that make money from providing services like payment processing or website hosting to businesses that are subject to the law.

The law does have provisions aimed at exempting small businesses – companies are subject to the law if they have worldwide revenue above $25 million; collect or receive the personal information of 50,000 or more California consumers, households or electronic devices; or those who get at least half their revenue from selling personal information. But small companies can easily reach the 50,000 threshold for collecting or receiving information – an individual who has a phone, tablet, PC at home, and one at work counts as four users, not one.

Vampr is currently about 1,000 users shy of the threshold, but Mr. Simons expects the app will reach that milestone sometime in January. The Santa Monica, California-based company's home state is its biggest market.

The law aims to protect consumers from having their information sold without their knowledge or consent. It was passed by the California Legislature in June 2018, and modeled on the European Union's General Data Protection Regulation, which took effect in May 2018. The California law was enacted amid increasing concern about companies sharing consumer data, especially after it was learned that the data firm Cambridge Analytica improperly accessed Facebook user information. 

The California law gives consumers the right to know what personal information companies collect from them, and what businesses do with it – whether they share, transfer or sell it, and who is the recipient of the information. Under a key provision, companies must give consumers the option to have their information deleted from databases.

The law covers a wide range of data including names, addresses, Social Security and passport numbers, email addresses, internet browsing histories, purchasing histories, personal property and health information, professional or employment information, educational records, and information from GPS apps and programs.

Companies subject to the law must ensure their systems and websites are in compliance. Many without in-house technology staffs have hired companies to install software that among other things creates the website buttons and links that allow consumers to see their information and opt out of having it stored. Some companies may decide to get legal help to be sure they're on the right track. Mr. Simons, who himself installed the software to make Vampr compliant, estimates the process cost the business $7,000, a large sum for a small company.

While the California statute takes effect Jan. 1, enforcement won't begin until July 1. And the law as it stands now may change – the Legislature has already passed a number of amendments to clarify and refine the law's requirements, and the state Attorney General's Office is still formulating regulations and guidance about the law.

Some of the law's complexities grow out of the relationships between companies that use one another's data, for example, in the case of a payment processor that must use credit card and other personal information provided by a retailer in order to complete transactions. In such cases, the service provider must sign a contract that prohibits them from using the data for any purpose other than what is stated in the contract, says Travis LeBlanc, an attorney specializing in cybersecurity law with the firm Cooley LLP in Washington, D.C.

Vendors that can connect with client companies' systems can unintentionally be an entry point for hackers trying to steal personal information. That was the case when hackers were able to steal personal information for more than 60 million Target customers in 2013.

"Vendors are often a source of weakness," Mr. LeBlanc says. "The CCPA helps encourage the company that has the primary relationship with consumers to take responsibility for that."

Attorneys find some of the law's provisions to be vague, making it unclear which companies need to comply. One provision says information is protected if it is sold or transferred "to another business or a third party for monetary or other valuable consideration." Attorneys are wondering what "valuable consideration" means, says David Stauss, an attorney with expertise in technology law with the firm Husch Blackwell in Denver.

"This can really become difficult to apply," Mr. Stauss says. "There are some things that are going to clearly be sales, but that's a gray area."

Some companies that won't be subject to the law nonetheless are setting themselves up to be compliant. Some expect that other states will enact similar laws, while others are aware that data privacy is a sensitive issue they need to address.

"We're in an evolving area where consumer sentiment runs very high," says Dawn Barry, president of Luna Public Benefit Corp., a San Diego-based company that collects data for medical research. Although the nature of the company's business makes it exempt from the California law, it nonetheless is compliant with the statute and Europe's GDPR, Ms. Barry says.

This story was reported by The Associated Press.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Consumer privacy law in California to take effect
Read this article in
https://www.csmonitor.com/USA/2019/1219/Consumer-privacy-law-in-California-to-take-effect
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe