California Governor Jerry Brown last week signed one of the toughest data privacy laws in the nation. The new law, California Consumer Privacy Act of 2018, has been compared to the European Union’s General Data Protection Regulation (GDPR), and goes into effect in 2020.
While the California Consumer Privacy Act of 2018 doesn’t have the exact same provisions as GDPR, it’s close enough in many respects. That includes giving consumers the right to know how their data is used, why it’s being collected, and also to bar companies from selling the data.
According to the California Consumer Privacy Act website, the new law (which was called AB 375) gives residents of California the most comprehensive consumer privacy rights in the entire country. Specifically, the new law gives residents:
- The right to know all data collected by a business on you;
- The right to say no to the sale of your information;
- The right to delete your data;
- The right to be informed of what categories of data will be collected about you prior to its collection, and to be informed of any changes to this collection;
- .Mandated opt-in before sale of children’s information (under the age of 16);
- The right to know the categories of third parties with whom your data is shared;
- The right to know the categories of sources of information from whom your data was acquired;
- The right to know the business or commercial purpose of collecting your information;
- Enforcement by the Attorney General of the State of California;
- The private right of action when companies breach your data, to make sure these companies keep your information safe.
The new law spurred strong reaction from executives in the tech industry. Patrick McGrath, Director of Solutions at Commvault, said greater steps should be taken to protect data.
“Organizations should minimize their exposure in handling personal data, keeping only the personal data necessary to service direct business and legal needs,” McGrath tells Datanami via email. “As a best practice, we encourage organizations to use archiving policies that identify instances of personal data, delete, encrypt and/or move data to more secure locations that are fully tracked.”
Mike McCandless, an executive with the encryption company Apricorn, says the new law is “a strong step” in the right direction. “However, properly implemented data encryption has proven to be a safeguard against data breaches….and should be required in order to truly protect consumers’ data.”
Salesforce.com CEO Marc Benioff says California’s new privacy law could help with the “crisis of trust” that exists between the tech industry and consumers. “Our customers’ data belongs to them. It’s their data,” he told Diginomica. “I think in some cases, companies that are start-ups and next generation technologies here in San Francisco, they think that data is theirs….We need a national privacy law here in the United States that probably looks a lot like GDPR.”
California’s new privacy law is similar to a proposition that data rights advocates previously hoped to put on the November ballot. Supporters of that proposition, which companies like AT&T and Amazon invested millions of dollars to defeat, are withdrawing it from the November election as a direct result of the legislative action.
“We are thrilled that AB 375 has become law,” Alaistair MacTaggart, the businessman who backed the proposition, told The Verge. “This is a monumental achievement for consumers, with California leading the way in creating unprecedented consumer protections for the rest of the nation.”