Coming to America? California Passes GDPR Copycat Bill

GDPR only went into effect in late May, but it’s already inspired like-minded data privacy legislation on this side of the Atlantic. California, America’s technological heartland, recently signed off on a law that will give consumers greater control over their personal data. Much like GDPR before it, the new law’s impact could be widespread.

While not as vast as the European Union’s GDPR, California’s Consumer Privacy Act of 2018 – which goes live on January 1, 2020 – ranks as the strictest on the books in the United States. The legislation will force companies to disclose what information they’re collecting, how they’re using it, and who can access it. Moreover, it puts control back in the hands of citizens. People can decide if they want to share their information or if they want companies to delete stored personal data outright.

The California Consumer Privacy Act of 2018 applies to for-profit companies doing business in the state that collect consumer information, provided they meet any of the following criteria:

  • Exceed $25 million in gross revenue
  • Handle personal data of 50,000 or more people, devices, or households
  • Earn 50% of their annual revenue from selling consumer information

Businesses beholden to the California Consumer Privacy Act of 2018 who suffer a data breach could pay a hefty price. The law sets the minimum damages at $100 and the maximum at $750 per incident (or actual damages, whichever is greater). It’s not hard to imagine, even at that minimum level, some astronomical payments resulting from this new law – especially considering the size and scope of recent breaches.

It may make for some newfound compliance headaches; however, the California Consumer Privacy Act of 2018 is actually something of a best-case scenario for businesses. The law cut a speedy route through California’s legislature to head off a ballot initiative promising serious compliance migraines. Even though it’s not ideal from the business perspective, the Consumer Privacy Act apparently allows for far more flexibility than California’s voters would have come November.

Next steps: Get out in front of compliance challenges

January 1, 2020 will be here before you know it. Although, even if this particular piece of legislation doesn’t apply to your business, the clock is still ticking. Regulations such as GDPR and the California Consumer Privacy Act of 2018 are likely only the beginning. People want more power over their data and governments are always eager to find new sources of revenue. In that regard, it’s a match made in heaven. It’s up to businesses to figure out how to continue operating effectively to avoid a place in the crosshairs.

Looking for help navigating the increasingly complex web of cyber security regulations? Arraya Solutions has real world compliance and security experience at the C-Level. Our team will work closely with onsite IT and organizational leadership to diagnose compliance risks, devise a strategy on how to alleviate those hazards, and then execute on that plan. Start a conversation with our team of experts today by visiting: https://www.arrayasolutions.com/contact-us/.

As always, you can leave us a comment on this or any of our blogs through social media. Arraya can be found on LinkedInTwitter, and Facebook. Once you’ve let us know what you think, follow us to stay updated on our industry insights and learning opportunities.