What the new data privacy law means to you
Consumers will have more control over their online information
Facebook. Yahoo. Equifax. Over and over, millions of consumers have seen companies they had trusted with their personal and financial information admit that data had been hacked, stolen or otherwise used without their permission.
But a new California law, the California Consumer Privacy Act, approved this week under threat of a ballot initiative, will give consumers unprecedented power to protect their data and hold companies accountable for breaches.
Here’s a look at how the new law will affect your online life.
Q Do I have these new protections right now?
A Not yet. The law doesn’t take effect until Jan. 1, 2020. That seems like a long way off. But the law was spurred by an initiative that has since been pulled from the November ballot that would not have been effective until six months after it passed. The law gives companies about six more months to comply than they would have had if the initiative passed.
Q What rights will I have under this new privacy act?
A
The new law guarantees the right to know what data is being collected on you, including rights to access, download or transfer your information. It gives you the right to refuse to allow companies to sell your data. It gives you the right to compel companies to delete private data they collected on you. It prohibits selling data on kids without their consent. Companies generally cannot penalize consumers who exercise their rights under the new law. And it holds companies liable for violations and data breaches.
Q
Can’t I already ask companies to tell me
what they collect on me and opt out of its sale?
A
Not as a matter of law, unless the company chooses to offer it to you. The existing California Online Privacy Protection Act requires companies to post a privacy policy online explaining what information they gather on consumers, how it might be shared and any process for reviewing it or making changes. The new law goes further, requiring companies to disclose information collected upon request, free of charge up to twice in a 12-month period. Companies also must disclose the types of information — say, demographic, geolocation — what kind of recipients it is shared with, and the business reason for collecting it.
And the new law gives consumers the right to stop companies from selling their personal data. Companies will have to have a “button” or feature on their website to request access to your data or opt out of its sale.
Q
Are kids covered under the new law? A
The federal Children’s Online Privacy Protection Act of 1998 already applies to children age 12 and younger. It requires parental consent, with limited exceptions, before collecting personal information online from children, and allows parents the right to see information collected on their kids and have it deleted. The new California law adds another layer, requiring that kids up to age 16 consent to the sale of their online data.
Q
Are some of provisions of this new law in place elsewhere?
A
This new law incorporates some concepts from the European Union’s General Data Protection Regulation, which took effect in May. Those include the right to access and transfer your data — for example, to another social media or email provider — and to compel companies to delete what they collected on you.
Q
Aren’t companies already required to protect my online data and responsible for breaches?
A
Existing law requires companies to take reasonable steps to secure your personal data. The new law provides you a right to sue for statutory damages over unauthorized access, theft or disclosure of your information.
Q
OK, I got notified my data was breached. How do I get justice under this new law?
A
If you lost money as a result of the breach, you can file a lawsuit to recover those costs. If you aren’t sure yet, you can notify the company of its violations, which will trigger a process where either you or the attorney general could file suit. The new law gives the company a chance to remedy the breach. If it cannot, the consumer could then file suit and must notify the attorney general. The attorney general could then either take over the case, allow the private suit to proceed or block it if it was found frivolous.
Q
What will I be able to do if I think a company is not complying with other new requirements, such as to disclose data collected on me or letting me opt out of its sale?
A
Tell the company you think it is violating the law, and tell the attorney general. The state will be tasked over the next 18 months with developing an easy way for consumers to report suspected violations to the attorney general.