State sets rules for consumer privacy
California Attorney General Xavier Becerra released a series of draft regulations Thursday aimed at getting businesses to comply with the state’s landmark data privacy law, scheduled to take effect Jan. 1.
Under the California Consumer Privacy Act, signed into law in June 2018, businesses must disclose to consumers the various kinds of data they collect about them. Companies must stop selling consumer data to third parties if customers ask them to, delete personal data on request, and explicitly seek consent from consumers aged 16 or younger to sell personal information.
The bill also states that consumers who exercise their rights under the law cannot be discriminated against.
The newly announced rules for businesses require notifying people before or when their data is collected. If notice is not given, data cannot be collected. The attorney general also provided guidelines for how to respond to consumers wanting to opt out, delete and know the data that’s collected on them, as well as how to verify the identity of people making such requests and how to maintain relevant records for two years.
“Help us get this right,” Becerra said.
Privacy is a right in California, he said, even as he acknowledged that some businesses may struggle to find the resources to comply. But, he added, “We want companies to understand that ignorance is not an excuse.”
Requirements outlined by the attorney general include:
providing a “Do Not Sell My Info” link on the homepage of a company’s website or mobile app;
for businesses with physical stores, paper notices on data collection;
at least two methods for consumers to find or delete data that has been collected about them — for example, a tollfree number, an email address or a paper form.
Consumers, privacy advocates and businesses can weigh in about the proposals in written comments and at four public hearings in San Francisco, Sacramento, Fresno and Los Angeles. The deadline for comments is Dec. 6.
The privacy act applies to a range of businesses, from tech companies like Google and Facebook to retail stores. Trade groups such as the Internet Association and the National Retail Federation opposed the legislation.
Not all California companies need to comply with data privacy law. Businesses will be subject to the law if they have annual revenue of more than $25 million; collect personal information of 50,000 or more consumers; or get at least half of their annual revenue from the collection of consumers’ data. Businesses handling personal information of more than 4 million consumers face additional requirements.
A recent study prepared for the state attorney general’s office by Berkeley Economic Advising and Research said 75% of California businesses will have to comply with the data privacy law. Costs for business could total between $467 million and $16.5 billion between 2020 and 2030, the study said.
“Data is today’s gold,” Becerra said. “Everyone is rushing to mine data and California is not unfamiliar with the Gold Rush. The big difference between now and 170 years ago was while gold was stripped from land, today, data is stripped from your privacy.”