The California Consumer Privacy Act is the latest addition to the privacy regulatory world and it is stirring the conversation about protecting personal data even more.  I’ve been a huge fan of Saturday Night Live since the first time I saw it on TV.  One of its iconic reoccurring skits was “The Californians”, whose primary theme was explaining how to get from one place to another by using different California roads and highways.  As of last week, real Californians have a new topic to discuss that's a lot more serious: Information Privacy!   And the route by which organizations may need to proceed could have as many twists and turns as those classic SNL Californian skits.

What is the California Consumer Privacy Act?

On June 28, “The California Consumer Privacy Act of 2018” was signed into law extending Californian’s right to privacy.  This law strengthens rights of California residents already in place.  In 1972, California voters amended the California Constitution to include the right of privacy among the “inalienable” rights of all people. According to the California Consumer Privacy Act, “fundamental to this right of privacy is the ability of individuals to control the use, including the sale, of their personal information.” 

Beginning January 1, 2020, the law provides for:

• The right of Californians to know what personal information is being collected about them.
• The right of Californians to know whether their personal information is sold or disclosed and to whom.
• The right of Californians to say no to the sale of personal information.
• The right of Californians to access their personal information.
• The right of Californians to equal service and price, even if they exercise their privacy rights.
• Businesses that collect consumer personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used and shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice.
• A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer and the business shall delete the consumer’s personal information from its records and direct any service providers to delete the consumer’s personal information from their records.
• Businesses that suffer a breach of security shall be deemed to have violated the Act and may be held liable if the business has failed to implement and maintain reasonable security procedures and practices, appropriate to the nature of the information, to protect the personal information from unauthorized disclosure.

What does the new California Privacy Law mean to businesses?

The first step, as with all new regulatory changes, is to engage with legal counsel to see how the law may affect your business.  According to the law, businesses that do not comply are subject to litigation and sanctions.  Any consumer whose nonencrypted or nonredacted personal information is subject to unauthorized access and exfiltration, theft or disclosure as a result of the business failing to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:

• To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.
• Injunctive or declaratory relief.
• Any other relief the court deems proper.

In assessing damages, the court shall consider any one or more of the relevant circumstances, including, but not limited to, the nature and seriousness of the misconduct; the number of violations; the persistence of the misconduct; the length of time over which the misconduct occurred; the willfulness of the defendant's misconduct; and the defendant's assets, liabilities, and net worth.

In addition, any person, business, or service provider that intentionally violates the Act may be liable for a civil penalty of up to seven thousand five hundred dollars ($7,500) for each violation.

While the amounts involved may appear relatively immaterial, they will certainly be impactful in aggregate as the size of a breach grows.  Further, the ill will and reputation risk associated with breaches will be magnified due to press coverage around violating this Act.

Consumer Privacy

The concept that consumers own their information and have the right to control it is the front and center tenant of the California Consumer Privacy Act.  Businesses subject to this regulation have much work to do to ready themselves to accommodate consumer rights to receive notice; to inquire about the information; to refuse sharing; and to delete information.  At the same time, businesses handling consumer information must establish a program designed to ensure that reasonable security procedures and practices are implemented and maintained appropriate to the nature of the information to protect it from unauthorized disclosure.  As with most privacy-related regulations, the California Consumer Privacy Act will prompt businesses to adopt an on-going, risk-based information security program across their extended enterprise.

No, this Act isn’t funny like SNL’s “The Californians” but it is already being touted as groundbreaking, and the most sweeping privacy legislation passed in the U.S. to date.

Check out RSA Archer's use cases that are designed to help organizations with privacy challenges:  Data Governance and Privacy Program Management in the RSA Archer Regulatory and Corporate Compliance solution