California’s New Data Law: 6 Things You Need To Know Now
California is the new frontline for consumer data privacy. As we discussed in last week’s CardLinx Webinar, California passed a sweeping new data privacy law that was hastily signed into law yesterday afternoon in California’s capital by Governor Jerry Brown. The law contains many new digital data rights for California consumers but is less stringent in many respects than Europe’s General Data Protection Regulation that went into effect in May of this year.
- Delayed Effectiveness Until 2020 – The law applies only to California consumers/companies and does not go into full effect until January 1, 2020. The law may well be amended before that time. As a result, there is still plenty of time for trade associations like CardLinx and industry participants to lobby for changes. The CardLinx Consumer Data Transparency Task Force is formulating an outreach plan and met last week to craft next steps.
- “Opt Out” instead of “Opt In” – The law mandates that consumers be given the right to “opt out” of data collection and also to stop any company from selling their personal data to another party. It does not require that consumers “opt in” to data collection. The more stringent “opt in” standard is what most card-linking companies implement today. Opt in is also the main consent standard mandated by European GDPR.
- Broad Definition of Data – The law covers all California consumers and all companies that do business in the state of California that have at least $25 million in revenues or derive more than 50% of their data from selling data or reach 50,000+ consumers.
- No Data Portability Mandates – The law does not require companies collecting data to share it with a third party of the consumer’s choosing. European GDPR requires data portability.
- Right To Be Forgotten – The new California law mandates that consumers be given the opportunity to have all data collected about them be deleted.
- Right to Data Transparency – Consumers have the right to request full disclosure of the data collected about them, the source of that data, and the business purpose for the data.
- New US Federal Data Laws in Early 2019 – California is the largest state in the US, the 5th largest economy in the world and home to many of the world’s largest tech companies that fall under the jurisdiction of the new law. However it is very inefficient for each of the US states to have different data laws. After this November’s Congressional elections, expect the US Congress to consider and pass a new US law on data protection that will preempt or override California’s and other state laws. It is important that CardLinx take an active role in informing and engaging with regulators and policy makers in the US.
- New Data Laws in China, Japan, South Korea and India – Europe has already passed sweeping new data laws and the US is likely to be next. Our direct CardLinx conversations and meetings with regulators and government agencies in China, Hong Kong, Japan, South Korea and India suggest that these countries will also implement new data regulations in late 2018 and 2019. Many of these laws will be modeled on the European and California laws. CardLinx has an opportunity to propose model data principles that inform all of these regulations.
- Now Is The Time For Companies to Speak Up – We know that some regulations have come and more are coming. It is important that CardLinx and its member companies continue to be proactive and lay out sound data privacy principles and advocate for a self-regulatory framework, whenever practicable. In other words, there is still time to influence how laws are implemented in the EU and California as well has how new laws are formulated in the US, Asia and other parts of the world.