[BreachExchange] ‘Ignorance is not an excuse’: California draft rules on data privacy released

Fri Oct 11 16:23:00 EDT 2019

https://www.sfchronicle.com/business/article/Ignorance-is-not-an-excuse-California-14509939.php

California Attorney General Xavier Becerra released a series of draft
regulations Thursday aimed at getting businesses to comply with the state’s
landmark data privacy law, scheduled to take effect Jan. 1.

Under the California Consumer Privacy Act
<https://www.sfchronicle.com/politics/article/Consumer-online-privacy-measure-could-be-headed-14465479.php>,
signed into law in June 2018, businesses must disclose to consumers the
various kinds of data they collect about them. Companies must stop selling
consumer data to third parties if customers ask them to, delete personal
data on request, and explicitly seek consent from consumers aged 16 or
younger to sell personal information.

The bill also states that consumers who exercise their rights under the law
cannot be discriminated against.

The newly announced rules for businesses require notifying people before or
when their data is collected. If notice is not given, data cannot be
collected. The attorney general also provided guidelines for how to respond
to consumers wanting to opt out, delete and know the data that’s collected
on them, as well as how to verify the identity of people making such
requests and how to maintain relevant records for two years.

“Help us get this right,” Becerra said.

Privacy is a right in California, he said, even as he acknowledged that
some businesses may struggle to find the resources to comply. But, he
added, “We want companies to understand that ignorance is not an excuse.”

Requirements outlined by the attorney general include:

• providing a “Do Not Sell My Info” link on the homepage of a company’s
website or mobile app;

• for businesses with physical stores, paper notices on data collection;

• at least two methods for consumers to find or delete data that has been
collected about them — for example, a toll-free number, an email address or
a paper form.

Consumers, privacy advocates and businesses can weigh in about the
proposals in written comments and at four public hearings in San Francisco,
Sacramento, Fresno and Los Angeles. The deadline for comments is Dec. 6.

The privacy act applies to a range of businesses, from tech companies like
Google and Facebook to retail stores. Trade groups such as the Internet
Association and the National Retail Federation opposed the legislation.

Not all California companies need to comply with data privacy law.
Businesses will be subject to the law if they have annual revenue of more
than $25 million; collect personal information of 50,000 or more consumers;
or get at least half of their annual revenue from the collection of
consumers’ data. Businesses handling personal information of more than 4
million consumers face additional requirements.

A recent study
<http://www.dof.ca.gov/Forecasting/Economics/Major_Regulations/Major_Regulations_Table/documents/CCPA_Regulations-SRIA-DOF.pdf>
 prepared for the state attorney general’s office by Berkeley Economic
Advising and Research said 75% of California businesses will have to comply
with the data privacy law. Costs for business could total between $467
million and $16.5 billion between 2020 and 2030, the study said.

“Data is today’s gold,” Becerra said. “Everyone is rushing to mine data and
California is not unfamiliar with the Gold Rush. The big difference between
now and 170 years ago was while gold was stripped from land, today, data is
stripped from your privacy.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20191011/f92cbe32/attachment.html>