San Francisco Chronicle - (Sunday)

Data privacy protection­s

California lawmakers approved a bill last year designed to increase people’s control over how companies use their personal data. The law takes effect in 2020. Among its provisions:

 Web users can demand that a business tell them what personal informatio­n it is collecting about them and whether it is selling or sharing it, and if so to whom.

 Consumers can tell a company to delete their personal informatio­n.

 Parents must give permission before a website, online service or mobile app directed toward children can sell the youths’ user data.

 Consumers can sue companies that fail to adequately safeguard their personal data, resulting in a breach.

The rules apply to any for-profit business that collects customers’ personal informatio­n — from Google and Facebook to retail stores.

Many large global companies already comply with similar restrictio­ns under a European Union digital privacy law that took effect in May, called the General Data Protection Regulation. Among its provisions:

 Personal data includes names, internet protocol addresses or identifica­tion numbers.

 People have a “right to be forgotten” — they can ask for the complete removal of their personal data when a company no longer has reason to keep it. The burden of proof is on the company.

 Companies must obtain people’s “informed and unambiguou­s” consent for processing personal data.

 Data collectors must report breaches.

 Penalties for violations are $24 million or 4 percent of a company’s global revenue for the previous year, whichever is higher.