As you may know, the General Data Protection Regulation (“GDPR”) enacted by European U
nion went into effect on May 25, 2018. It basically says that a person’s data is their own and that people can opt out of having their information used or shared by companies for marketing or other purposes – the “right to be forgotten”. This is the reason why you may be seeing those little “cookie” advisories at the bottom (or top) of certain websites that you visit.
nion went into effect on May 25, 2018. It basically says that a person’s data is their own and that people can opt out of having their information used or shared by companies for marketing or other purposes – the “right to be forgotten”. This is the reason why you may be seeing those little “cookie” advisories at the bottom (or top) of certain websites that you visit.Since then, I’ve been advising my clients that have websites and collect information about visitors to their websites to adopt internet policies regarding the clients’ security measures and the right to be forgotten. While the GDPR only applies to European citizens, who is to say that a European citizen won’t visit a U.S.-sited website? And, with the furor over Facebook and Cambridge Analytica involving politically-motivated customer tracking, I believed it would only be a matter of time before similar laws would take hold in the U.S.
Well, it’s happened, although sooner than even I had envisioned. California just passed the California Consumer Privacy Act of 2018 (“CCPA”) to go into effect on January 1, 2020. If your company does business in California and collects consumer information (either directly or indirectly), you may be subject to this new law. The CCPA is extremely broad in that it requires businesses to notify their potential customers that it will collect certain information (and the type of information must be identified in the notice) at the point of contact, allow visitors to obtain copies of all of the information that has been collected, and allow customers to demand the company delete or opt out of any sale to third parties any and all information collected by the company (except under certain circumstances). The law also requires notification to customers of any security breaches of a company’s data storage and provides for statutory damages in the event of such a breach.
A full analysis of the California law is beyond the scope of this blog post but you need to take note that California has the largest economy in the United States and is the fifth largest in the world (https://lat.ms/2FK0QtK). If your business isn’t doing business now, it may be doing so in the near future and as California goes, so may the rest of the U.S. So, now is a good time to review your internet privacy and data collection policies, otherwise, your company may not be doing (good) business at all.
