Such notices to US businesses hit their stride in 2017, ahead of the May 25, 2018 effective date of the GDPR, the European data privacy law known officially as the “General Data Protection Regulation”.
However, many correctly (in my opinion) chose not to do anything in response. Whether the result of legal advice, or simple “why should I care” attitude, a purely domestic US business probably had no obligation to act under the European rule.
This year’s boom of such notices, however, hits much closer to home.
The California Consumer Privacy Act was passed in June, 2018. It regulates many firms that obtain personal information about “consumers”, defined as California residents – over 12% of everyone in the US, according to recent US Census data. https://www.census.gov/popclock/?intcmp=w_200x402
Since California is the world’s fifth largest economy, according to recent US government data, US businesses can’t ignore its requirements.
Although California law’s doesn’t become effective until 2020 – seemingly leaving plenty of time for changes, or typical legislative postponements, especially after the law’s hasty passage in June – compliance could take some time.
• Businesses must police their supply chain for compliance with California’s law, whether or not the suppliers are located in California.
• The law gives consumers the right to know what personal information about them is collected, how it is used, and even to require that it be eliminated from business records – the so-called “right to be forgotten”.
• The law also gives consumers the right to sue for violations, including in class actions.
But why should businesses be concerned about yet another “urgent” call to action, or dire warning?
After all, no one who spent money on Y2K compliance wants to repeat that fiasco.
But this time should be different:
• Businesses today collect more and more data in the ordinary course, whether online, or through smartphone apps.
• After many highly publicized data breaches, consumers and lawmakers alike will demand more protection as the price of giving up that data for free.
• The e-commerce revolution has led to much more data collection, regardless where a business or consumer may actually be located.
• California regulators are known to be relentless.
• The breadth of duties under the new law could take some time and considerable expense.
So, to answer the question in the title of this article – what to do now? – businesses should begin to understand what data they collect, where it is stored, and, more importantly, how it is protected.