If you count California residents amongst your customers, or those whose data you have (and given that California is one of the 10 largest economies in the world, there is a good chance that you do), it is likely that The California Consumer Privacy Act of 2018 could significantly change the way that you must handle data. Note that the recent legislation, set to take effect on January 1st, 2020, can still be modified prior to implementation; there have been many reports of affected parties furiously lobbying to do just that.
What Protections Are Afforded to Citizens?
Described as the most comprehensive data protection law in the US (Massachusetts, are you going to let that stand?), this law is going to require many companies to change a number of their business and technical processes.
The bill ensures the following rights to consumers:
(1) The right of Californians to know what personal information is being collected about them.
(2) The right of Californians to know whether their personal information is sold or disclosed and to whom.
(3) The right of Californians to say no to the sale of personal information.
(4) The right of Californians to access their personal information.
(5) The right of Californians to equal service and price, even if they exercise their privacy rights.
What Data is Covered?
One of the most interesting things about this new law is the breadth of coverage as far as what is considered personal information. The list includes everything from name and address, all the way to geolocation, thermal and olfactory information. (This may give rise to many opportunities for puns, such as asking if it “passes the smell test.”) Also included are search history, employment data, purchase records (including whether someone considers something and doesn’t purchase), and more. It really is worth taking a look at the law, which is linked in this blog, and reading through what is covered.
What is Known… and Unknown
The bill requires disclosing only the category of the company with whom the data has been shared, while previous proposed versions of the bill would have required disclosing the specific name and contact information for the third parties with whom the data was shared. It remains to be seen whether this will just lead to longer end user license agreements, which most users don’t read anyway, or if this will change things in a more tangible way. Regardless, organizations will need to make sure that they have processes in place to keep track of what data they have and with whom it is shared. While organizations should have a good handle on what data they have, where it is stored, and how it is shared, the reality is that many do not.
Don’t Make a Typical Mistake—Start Early!
When the General Data Protection Regulation (GDPR) was on the horizon, there were a large number of companies that did not properly prepare for the new requirements until they were about to take effect. Subsequently, the ill-prepared companies were left scrambling at the last minute to comply, with varying degrees of success.” If this new law will apply to your organization, the best time to begin preparing to be compliant is now. January 1st, 2020 will be here before we know it.
The bill can be read here: https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180AB375
Author: Alex Hamerstone
Alex Hamerstone, QSA, ISO 27001, CISSP is the Practice Lead for the Governance, Risk, and Compliance division at TrustedSec. TrustedSec’s motto “Information Security Made Simple” holds true to Alex’s beliefs and his ability to deliver effective solutions to our customers. Known as a passionate advocate for the clients he works with and also the security industry, Alex uses his consulting experience to work with all sizes of organizations in all verticals, performing assessments, audits, and security program development.