The European Union’s (EU) General Data Protection Regulation (GDPR), which became enforceable in the spring, may be a model or a prelude to similar regulations across the Atlantic. In late June, America’s largest state adopted California Consumer Privacy Act of 2018.
The California bill goes into effect on January 1, 2020, allowing lawmakers to propose changes before it becomes enforceable. Compliance with the law will most likely increase the costs of doing business. Its passage – it cleared both state houses and was signed by the governor within a few days after it was introduced – prevented a far more stringent measure to go before California voters in November.
A California measure that is adopted by the state’s voters in a referendum would be much harder to amend. As a result, many businesses, particularly data and information technology companies, welcomed a law from legislators that allowed for greater flexibility. The California law, as it stands now, applies to any company that meets any one of these conditions: has more than US 25 million in gross revenues, buys or receives information on at least 50,000 consumers and derives 50 percent of its annual revenues from selling consumers’ personal information.
Just like GDPR, the California law requires companies to delete consumers’ personal information when requested and consumers have the right to access the information about them. Under the California law, companies cannot sell a consumer’s personal information unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt out. Although the GDPR is a much larger set of regulations, the California law has more details about what may constitute personal information (Sec. 1798.140.), including information that may give rise to inferences about the consumer.
The California law has specific instructions to businesses on how to comply with opt-out actions by consumers (Sec. 1798.135.) Also, the California law allows damages to be awarded to individuals, under certain conditions (Sec. 1798.150.) But the GDPR only contemplates fines against the companies levied by the supervisory authority.
Among other requirements, companies must disclose:
- The categories and specific pieces of personal information that are collected.
- The categories of sources from which the information is collected.
- The business purposes for collecting and selling the information.
- The category of third parties that the information is shared with.
The law prohibits businesses from charging a higher price or providing a different quality of services or goods to consumers who opt out of their information being shared, but it allows businesses to offer financial incentives for collection of personal data. GDPR went into effect on May 25, 2018. It applies to businesses domiciled in the EU and non-EU countries that conduct business within the Union, and provide services directly to individuals in the EU.
GDPR is complemented by data regulations that have been in place in North America; an article on GC Capital Ideas explored the similarities and differences in them.
Statements concerning tax, accounting, legal or regulatory matters should be understood to be general observations based solely on our experience as reinsurance brokers and risk consultants, and may not be relied upon as tax, accounting, legal or regulatory advice, which we are not authorized to provide. All such matters should be reviewed with your own qualified advisors in these areas.
Developments in the Data Privacy Regulatory Landscape (Introduction)
Regulatory Landscape Part I: The New Privacy Order Created by GDPR
Regulatory Landscape Part II: Extra-Territorial Application of GDPR
Regulatory Landscape Part III: New York Department of Financial Services Regulation
Regulatory Landscape Part IV: NYDFS Cybersecurity Act - Risk of Third Party Service Providers
Regulatory Landscape Part V: NAIC Model Law
Regulatory Landscape Part VII: Conclusion