Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

New California Data Privacy Law May Prove a Model for Other States

July 3, 2018

The ABA Journal reported on June 29th that the new data privacy law in California will give consumers the right to obtain data collected about them, the right to request deletion of the data, and the right to direct a business not to sell the information to third parties. The law takes effect in January 2020.

The New York Times calls the law, the California Consumer Privacy Act, one of the most significant regulations of data collection in the United States. USA Today says the law is the nation's toughest for online privacy protection, and it could serve as a model for other states.

The bill requires companies to disclose personal data collected when a consumer requests it, up to two times a year, and to delete and stop selling the personal information to third parties upon request. It also prevents businesses from selling personal information about minors to third parties, unless the parent of a minor less than 13 affirmatively authorizes the sale, or the minor between the ages of 13 and 16 opts in to the sale.

Businesses are not allowed to discriminate against consumers who exercise their rights under the law by denying them service, charging them different prices or providing a different level of quality. But businesses can offer financial incentives for collecting and selling information, and may offer differing prices that are directly related "to the value provided to the consumer by the consumer's data." That strikes me as muddying the waters, but time will tell.

A consumer whose data is hacked is entitled to recover statutory damages of up to $750 in a civil suit when companies fail to maintain reasonable security procedures provided certain steps are followed. Consumers can't sue unless they first notify the business and the state attorney general, and if the business doesn't correct the problem in 30 days and the state attorney general does not bar the suit. That doesn't strike me as a lot of money for what would be considerable effort on the part of the hacking victim.

Intentional violations could incur civil penalties of up to $7,500 per violation.

The law impacts companies with California customers that gross at least $25 million a year, or interact with information to 50,000 or more people, or make more than half their revenue from selling personal information.

It will be interesting to see what real life impact the law has – and whether other states choose to adopt similar laws.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson