Just when we all had gotten used to what GDPR stands for, those in the data privacy space have a new collection of letters to get to know: CaCPA.
That’s the emerging abbreviation of choice for a recently signed piece of California regulation called the California Consumer Privacy Act of 2018.
The law, which goes into effect Jan. 1, 2020, has already been called “the GDPR of the U.S.” There’s plenty of analysis of the new law circulating around the web right now speculating on how much of an impact the regulation will have. Here’s a rundown on what we know about it now:
The law applies to the personal data of California residents. Companies doing business in California, handling resident data, and meeting any of the three following criteria must comply:
- $50 million or more in annual revenue
- Selling the personal information of more than 100,000 consumers per year
- Receiving 50% or more of their annual revenue from selling consumer information
The core of the CaCPA revolves around three main tenets:
- Giving California residents the right to ask and retrieve what personal data businesses have collected about them, what the businesses do with it, and whom they might have sold such information to.
- Allowing California residents to request that business stop selling their personal information and forcing those businesses to comply. What’s more, those business cannot penalize consumers, such as by charging more for the same services, for this request.
- Holding businesses doing business in California accountable for data breaches involving California residents’ data through the right to sue said businesses for damages.
An article fromTripwire has a great, plain-language rundown of the basics of the law.
The law goes into Jan. 1, 2020. This seems to be a double-edged sword. It both gives companies time to prepare and the California legislature time to make changes, if they see fit. Stay tuned.
California only, for now. Though some industry analysts expect this law to be a template for wide-reaching consumer data privacy regulations for other U.S. states.
In short, data breaches. The legislators who shepherded the law through the California legislature (in only a week’s time, by the way) said as much in the press release announcing the bill’s passage:
“[The CaCPA] responds to the recent data breaches that have affected millions of people – those experienced by Target, Equifax, Cambridge Analytica, and many more. The collection of our information combined with data breaches has raised concerns from Internet users worldwide.”
So What Now?
Will this mark a major shift in U.S. privacy law? Many analysts believe that this will be the first domino to fall as other states emulate this law and as many businesses who have customers in California seek to comply.
Others believe it will finally prompt Congress to pass a federal privacy law. No matter the long-term impacts, the law is a definite recognition that that the public’s concerns over data privacy are not going away.