The California legislature is based on a datum for the moment when private life is torn and even if some companies hold their breath, Californians could see big control gains on their digital data.
We have pointed out in the previous blog posts but in addition to requiring companies to act more responsibly as data controllers (eg, forcing companies to implement reasonable security protections), the California Consumer Protection Act (CCPA) grants rights without previous to consumers.
At the time of printing this blog post, consumers should see:
More Transparency Regarding the Type and Specific Data Collected by Businesses: The CCPA will require companies to disclose the "categories and personal information they have collected" ] about them. . ( 1798.100)
There are now some limitations to the use of the data export right. For example, a company does not have to answer more than twice a year to the same applicant. Or if personal data is collected through a single transaction (for example: you are a novice user or "guest" on a website and make a purchase), the company does not need to keep any data about you. would not normally. (It is possible that you do not receive data in an export.) But in general, this gives Californians the same rights as those granted to EU residents under the RGP.
Deletion of the right of deletion of personal data: This also follows the model of the GDPR model and we discussed it in document . other blog posts so we will not go into detail here. But suffice it to say that Californians can request that their data be erased and companies will usually have to comply (exceptions such as "billing statements" are noted here in 1798.105.d). ( 1798.105)
Right to withdraw from a sale: That is new to the ACCP. The purpose of this provision is to inform California residents of entities that sell their data and those that are not, and in cases where data is sold, to give the right to a Californian of unsubscribe from the sale.
From a practical point of view, it is one of the most interesting aspects of the ACCP. As the definition of "sale" is broad enough – we go there in this blog post – this right gives consumers complete control over restricting the access of other users to their data. It's basically a big "easy" button, because all that a consumer will have to do is click on a clear and visible link ] ( 1798.135.1) on the company's website page, provide the necessary information to allow unsubscription, and the rest will belong to the story.
Alastair Mactaggart, one of the architects of ACCP, reportedly stated that Web browsers would adopt the "do not sell" extensions for allow consumers to automatically choose -out sales of data, but whether or not this happens remains to be seen. Companies that offer points, rewards or frequent flyer programs often do so in exchange for the sale of consumer data (as currently defined as the "sale" of ACCP). By refusing a data sale or requesting the deletion of data, consumers may find that they have also inadvertently lost all their loyalty points or benefits during the process.
To compensate for some of this loss, the CCPA contains provisions protecting consumers from price increases, reduced service offerings, etc., in the event that consumers wish to exercise their rights under the Act. CCPA:
An enterprise must not discriminate against a consumer because he has not exercised any of his rights ( 1798.125)
But it remains to be seen whether the benefits, such as points or rewards, will remain unchanged.
Finally, and perhaps most importantly, the CCPA grants California residents a private right of action (for example: they may sue companies) if their "personal information is unencrypted or unwritten." .. are subject to unauthorized access and exfiltration, theft or disclosure "resulting from the failure to apply" reasonable security precautions. "( 1798.150)
At the time of publication of this section, the definition of "personal information" in the above-mentioned case is not the definition in the meaning of the PMPR used in the rest of the legislation, but rather limited at specific data points like the consumer. surname and first name, in combination with the social security numbers, driver's license or financial account number (including the necessary codes to access the account). The complete definition of personal information is available here but the most notable point about this provision is that consumers will not have to show any damage as a result of a violation of personal data. . They can just complain, and they will see a payment. With a $ 750 damage limit per incident ( 1798.150.A) this will not result in a bonanza for the consumer, but will allow consumers to see some sort of restitution for their disclosed data.
We have about a year to go before the law is applied, and it remains to be seen whether California's Consumer Privacy Act (CCPA) will be amended. Nevertheless, the CCPA is a powerful tool that will give Californians much more control over their online data than they currently have. And as we have seen in previous historical laws (CA SB 1386 – offense notifications; CalOPPA – requiring confidentiality rules), when California acts, other states tend to follow . So, if you are not a resident of California, do not despair. It is quite possible that within a year or two, the CCPA's California protections also extend to the rest of the United States.
Stay tuned to the way back blog for more information on our series on the CCPA
CCPA Legal Implications for Organizations
Use of Data by CACP and Third Parties
More General Laws on the Protection of Privacy in the United States, What Happens in Other States
Preparing for ACCP from the perspective of marketers