San Francisco Chronicle - (Sunday)
Data privacy protections
California lawmakers approved a bill last year designed to increase people’s control over how companies use their personal data. The law takes effect in 2020. Among its provisions:
Web users can demand that a business tell them what personal information it is collecting about them and whether it is selling or sharing it, and if so to whom.
Consumers can tell a company to delete their personal information.
Parents must give permission before a website, online service or mobile app directed toward children can sell the youths’ user data.
Consumers can sue companies that fail to adequately safeguard their personal data, resulting in a breach.
The rules apply to any for-profit business that collects customers’ personal information — from Google and Facebook to retail stores.
Many large global companies already comply with similar restrictions under a European Union digital privacy law that took effect in May, called the General Data Protection Regulation. Among its provisions:
Personal data includes names, internet protocol addresses or identification numbers.
People have a “right to be forgotten” — they can ask for the complete removal of their personal data when a company no longer has reason to keep it. The burden of proof is on the company.
Companies must obtain people’s “informed and unambiguous” consent for processing personal data.
Data collectors must report breaches.
Penalties for violations are $24 million or 4 percent of a company’s global revenue for the previous year, whichever is higher.