Page 36 - GS180902
P. 36
Education
and disclosed – usually in a privacy policy – and requiring
businesses to keep the promises they make in their privacy
policies and related disclosure. Federal law also raises the
bar on disclosures and consents related to specific types
Legal ease: of information, such as financial information or medical
records.
Most state privacy laws have centered on data breach
notification. With the exception of Alabama and South
California goes Dakota, all U.S. states have data breach notification laws.
Many state data breach notification laws have the same
European with the or similar requirements, essentially requiring the entity
responsible for the breach to notify the persons concerned.
California Consumer It is in the context of rudimentary privacy legislation that
California enacted the California Consumer Privacy Act.
Privacy Act The new California law
The California Consumer Privacy Act grants certain
By Adam Atlas rights to consumers and protects the use and sale of their
Attorney at Law personal information by businesses. The Act does not
apply to all businesses; it applies only to businesses that
s the leader of the free world, the United States meet one or more of the following criteria. The business:
has long championed individual rights, includ- • Has annual gross revenues in excess of $25 million
ing the right of a business to collect non-public • Annually buys, receives, sells or shares for commer-
A personal information and use it pursuant to cial purposes the personal information of 50,000 or
a published privacy policy. For many years, businesses, more consumers, households or devices
consumers and legislators found common ground where
each had a measure of protection for their interests while • Derives 50 percent or more of its annual revenue
not stifling entrepreneurship. from selling consumers' personal information
Then, long after all of our personal data took up residence The act mostly likely applies to businesses like Facebook,
'in the cloud' and was subject to a number of high-profile Amazon and Google, but not so much to smaller ISO
breaches, all three groups realized something isn't right operations. However, ISOs are not relieved of possible
about the status quo. Consumers went from being the effects because many of them work alongside banks and
target of product marketing to their data being the product processors that meet one or more of the three conditions
itself, which is now bought, sold and transferred more under the act.
quickly and widely than any of us had imagined.
Here are some key rights the act creates for consumers:
The new California Consumer Privacy Act, which • Right to know all data collected by a business: A
goes into effect Jan. 1, 2020, begins a new chapter in the consumer can demand to know which categories of
regulation of trade in non-public personal information information have been collected on them (for exam-
in the United States. As the distinction between data and ple, name, address, IP address, email address, bank
value vanishes, some states are putting more control of account information).
data in the hands of their citizens. Tension will always • Right to say no to the sale of your information:
exist between individuals wishing to preserve bits of Where the collector of the information wishes to re-
remaining privacy and businesses wishing to harvest that sell that information, consumers will have a right
information for profit.
to opt-out of that sale. This will be challenging for
Context the many businesses that earn a living by trading
in personal information. There are also substantial
A number of federal laws have been leading guideposts practical issues related to giving consumers this
for regulating the exercise of such rights, including the kind of opt-out, particularly for information that
Financial Services Modernization Act (Gramm-Leach- was collected prior to the Act.
Bliley Act), Federal Trade Commission Act and Fair Credit • Right to delete your data: This emulates the Euro-
Reporting Act.
pean Union's 'right to be forgotten' but does not go
as far as the EU Privacy Directive. Still, consumers
Federal law tends to focus on holding a business responsible will be able to demand that their data is deleted,
to disclose how information will be collected, stored, used which could interfere in businesses that depend on
36
