What Dealers Everywhere Should Know About the Calif. Consumer Privacy Act
The Golden State’s version of GDPR — a first-of-its-kind state data privacy law in the U.S. — was discussed in-depth at the CAA’s spring convention.
PALM SPRINGS, Calif. — When Jan. 1, 2020, rolls around many California businesses will be subject to digital privacy laws that bear resemblance to some sections of the European Union’s disruptive General Data Protection Regulation (GDPR).
As the first state law in the United States to regulate online privacy, the California Consumer Privacy Act (CCPA) is expected to have widespread impact. Are all you security company owners and executives not doing business in California breathing a sigh of relief? Not so fast.
Susan Kohn Ross, a partner with Mitchell Silberberg & Knupp LLP, presented a session detailing the CCPA at the California Alarm Association’s recent spring convention, held here May 15-18. Make no mistake, as Ross explained, the CCPA is being closely watched by state legislatures across the nation. Not only are other states considering similar privacy laws, but some persuasive “voices” are advocating for national privacy legislation.
For example, Microsoft’s Julie Brill, corporate vice president and deputy general counsel, wrote Tuesday in a blog post that Congress and the federal government need to pass broader and stronger privacy protection similar to the EU’s GDPR.
“California’s law is a good starting point. But federal legislation should go further and ensure that companies act as responsible stewards of consumers’ personal data,” said Brill, a former commissioner of the U.S. Federal Trade Commission. “One way to achieve this is by requiring assessments that weigh the benefits of data processing against potential privacy risks to those whose data is processed.”
Based on material presented by Ross in Palm Springs, let’s take a closer look at some of the provisions contained in the CCPA, which the California legislature passed last year and was subsequently signed by then Gov. Jerry Brown.
So, which businesses in California are subject to the regulations? Ross explained the range of companies is broad, but certainly can include installing security contractors based on the following, regardless of industry:
- Annual gross revenues in excess of $25 million;
- Companies which alone or in conjunction with others annually buy, sell, receive or share for commercial purposes the personal information of 50,000 or more consumers, households or devices; or
- Companies which derive 50% or more of their annual revenues from selling consumer personal information.
“The CCPA states any company is subject to the law if it satisfies one or more of these thresholds,” Ross said.
Ross explained there are numerous clarifications throughout the CCPA yet to be handed down by lawmakers, and the law still may change by the time it goes into effect. However, the new rules clearly delineate how companies should interact with their customer data. Even companies with revenues below the $25 million threshold may want to consider adhering to the rules, she said.
Among key provisions businesses must adhere:
- Disclose data collection and sharing practices;
- Consumers have a right to request their data be deleted;
- Consumers have a right to opt out of the sale or sharing of their personal information;
- Businesses are prohibited from selling personal information of consumers under the age of 16 without explicit consent
Regardless if you feel your company is effected by the CCPA or not, Ross urges all installing security and monitoring providers to be proactive in protecting their clients’ personal data. Companies should start by answering the following questions:
- What consumer data is collected?
- From whom/what sources?
- What do you do with the data?
- Where is it stored?
- How long do you keep it?
- What about any marketing databases?
- Who has access to it?
On May 16, California’s senate blocked a bill that would have allowed consumers to sue companies over their handling of personal data. That development is considered a victory for the Silicon Valley and tech industry groups that have voiced concern about wide-ranging privacy lawsuits.
The CCPA still allows for fines of up to $7,500 for intentional failure to disclose data collection or selling others’ data without permission, Ross said.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!
Security Is Our Business, Too
For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add sales to your bottom line.
A free subscription to the #1 resource for the residential and commercial security industry will prove to be invaluable. Subscribe today!