California’s Data Privacy Law, AB 375: It’s Personal

California Consumer Privacy

California’s Data Privacy Law, AB 375: It’s Personal

Last week, California passed one of the most advanced privacy laws in the United States, The California Consumer Privacy Act of 2018. It is being hailed as a major step forward with comparisons such as “GDPR comes to America” and other such headlines.

Upon review, the California act has several challenges, not least of which is that it is not slated to go into affect till 2020, and the many big tech companies that are already lining up to try to get legislators to change provisions of the law.

What is in the law

The law establishes a few new rights for Californian residents, and like the GDPR in Europe, applies to any business that sells to or has personal data on California Residents.

These new rights are:

1. The right of Californians to know what personal information is being collected about them.

2. The right of Californians to know whether their personal information is sold or disclosed and to whom.

3. The right of Californians to say no to the sale of personal information.

4. The right of Californians to access their personal information.

5. The right of Californians to equal service and price, even if they exercise their privacy rights.

In short, it gives Californians a way to opt out of almost all secondary uses of their data whether that be aggregated sale to data brokers, tracking, or other uses not directly tied to the provision of a service.

What is not in the law

While the law does have penalties for breaches that result from not adequately protecting information, this law itself does not contain any requirements for how businesses need to protect information, or language to guide a court is analyzing if protection was adequate.

Impact on market

Unlike the European General Data Protection Regulation, The California Consumer Privacy Act of 2018 does not contain specific requirements for businesses to follow to ensure the Security of Processing.  The Act does prescribe how businesses are to get consent for collecting and using information, and that they can not discriminate against consumers for exercising their rights.

The California Consumer Privacy Act relies heavily on other California and Federal laws to provide guidance on these areas.  There are a number of conflicts with these other laws and areas that would likely need to be clarified through regulatory guidance, or possible changes to the law.

Additionally, there are still a number of questions about how the Act might be amended under pressure from tech companies and privacy advocates, and what regulations might be published to support the Act.

Overall, the exact nature of a business’s obligations will not be known for some time.

A logical solution

Encryption of sensitive data is key to demonstrating that information has been adequately protected under any privacy regulation or law.

Echoworx is committed to meeting the privacy and legal requirements of the countries in which it operates. Echoworx continues to add data centers around the world to ensure that data is resident as close as possible to the country or region of origin. We currently operate data centers in the US, UK, Ireland, Mexico, and Canada to ensure data can be stored and maintained in accordance with the regulations and legislation that our customers are subject to.

The role of Information Security is certainly changing. Join me and my colleagues for a live discussion, Thursday July 26th, on how this Act and othe new data privacy regulations will affect business globally. A Perfect Union: Privacy, Security and What You Need to Know About Both | 10 AM ET

By David Broad CISSP, Information Security and Audit Lead, Echoworx