U.S. Data Protection: As California Goes, So Goes the Nation?
Alexander Moshinsky, CPA
2.5.20 | Client Alert
The General Data Protection Regulation (GDPR) was created to protect the privacy of individuals in the European Union (EU). On January 1, 2020, California’s Consumer Privacy Act (CCPA)1 became effective and may lead the way for other U.S. states to pass, and enact, similar legislation. In fact, the movement has already begun. Illinois, Texas, and New Hampshire, among other states, have put some data privacy protections in place.2 In addition, New York’s Privacy Act3, which is currently under consideration, is expected to provide residents with more control over their data than in any other state.
With the domestic data protection movement clearly accelerating, U.S.-based organizations, whether or not they have an EU presence or customer base, need to prepare for state regulations and, potentially, federal laws on data privacy. Moreover, with ongoing news stories of data breaches and the sale of personal data by major businesses, pressure continues to build for stronger U.S. data privacy laws.
New Rights for California Consumers
The CCPA grants California residents the right to:
Know what personal information is collected, used, shared or sold, both as to the categories and specific elements of personal information | Businesses must inform consumers that they collect their personal information — either before or after it is collected. This information can include their names, phone numbers, email addresses, and demographics. It extends to website browsing history and ties into IP addresses and locations.
Delete personal information held by businesses and, by extension, a business service provider | Businesses must provide the types of third parties that they share consumer’s personal information with. However, businesses are not required to provide the actual names of the third parties, and it is up to the consumer to request this information. The consumer does have the right to require the business to delete their personal information and not sell it.
Opt out of the sale of personal information | Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt in consent, with a parent or guardian consenting for children under 13. Businesses must provide ways to opt out and must honor an opt out request. They must also put a link to the opt out page on their homepage advising consumers of this right.
Enjoy non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA | The CCPA prohibits covered businesses from discriminating against consumers who are exercising their CCPA rights. Such discriminations can include:
- Charging a different price,
- Denying goods or services, and
- Imposing penalties on a consumer exercising CCPA rights
Businesses Impacted by the CCPA | Businesses are subject to the CCPA if they meet one or more of the following criteria:
- Gross annual revenues in excess of $25 million
- Buys, receives, or sells the personal information of 50,000 or more California residents, households, or devices
- Derives 50% or more of annual revenues from selling consumers’ personal information
To provide extra protection, businesses that handle the personal information of more than 4 million consumers will have additional obligations.
The requirements imposed by the CCPA could be used as a blueprint for future state and even federal legislation. Businesses that will be impacted are advised to prepare in advance of what may be a national movement for consumer data protection in line with the existing GDPR of the EU.
If you have any questions or would like to discuss ways you can prepare, contact Alexander Moshinsky at 212.331.7448 | email@example.com or your Berdon advisor.
Berdon LLP New York Accountants