It seems that all we have heard about for the past year is GDPR, and it’s not over yet. Just this week we’ve heard how the UK data watchdog intends to fine Facebook the maximum amount of £500,000 for a data breach.
Just as the dust starts to settle, and the influx of consent emails from big companies dies down, the US has jumped on the data privacy bandwagon.
The State of California has passed a new digital privacy law, the ‘California Consumer Privacy Act’, which comes into force in January 2020.
What is the California Consumer Privacy Act (CCPA)?
This new law affords consumers more control over their personal data in an online context. Consumers will have the right to demand that companies disclose the information they hold on them, and tell them the reason they hold it and who they share it with. Consumers may also ask companies to delete their information, and forbid them from sharing their personal data with others. Similarly to GDPR, fines for breaches will be higher than before.
California isn’t the only US state having a rethink about data privacy.
In May, Vermont passed the first US law regulating data brokers (companies that sell individuals’ personal information). Data brokers will be required to register with the government, give people information on the data they hold on them (and how they can opt out from this), have certain policies and procedures in place, and report to authorities if there is a breach.
California’s legislation is broader than that of Vermont; however, it is expected that the California standards will quickly spread throughout the whole of the US, especially since many companies (mainly in the tech sector, which will be mostly impacted by the law) are headquartered in California.
How is privacy currently protected in the US?
Currently, the US has a patchwork of regulation governing data privacy. The US has taken a sector-specific and state-specific approach, meaning that while personal data is protected there is no federal blanket protection on an individual’s data.
The current law in California already requires companies to disclose data breaches to Californian residents when their personal data has been compromised. California was also the first state in the US to require security breaches to be notified. It seems that California is, once again, leading the charge on the reform of privacy laws.
Do US companies have a good grasp of GDPR?
GDPR came into force on 25 May 2018 and covers all companies processing or controlling personal information on EU residents, regardless of where the business is located.
It seems that many US firms are not compliant with GDPR. A small number of US companies still appear to be unaware of the law.
US firms are advised to create a ‘data map’, which sets out all the personal data of EU residents held by the business, and whether the firm is acting as a data processor or a data controller in respect of that data. Firms should then determine whether they have a valid legal basis for holding that data, or whether they require individual consent. They should also consider appointing a data protection officer.
This is a huge project for a lot of firms, and indeed many EU firms are still getting to grips with the new requirements. US firms are encouraged to put some resource into implementing appropriate and effective policies and procedures to ensure that the data of EU residents is adequately protected. It is also true, however, that improved data protection policies can result in overall business gains, GDPR can have a positive impact on what you do.
What should UK firms be doing about the new law?
The California Consumer Privacy Act is not as extensive as GDPR, and so it is likely that UK and EU firms that currently comply with GDPR will broadly comply with the Californian regime. Nonetheless, if UK and EU firms are operating in California, or indeed holding data in respect of individuals resident in California, then it is advised that a gap analysis between the EU and Californian laws is carried out to determine if there are any areas which might need to be specifically addressed.
It seems that other countries will eventually catch up with the EU’s work on data privacy, and it doesn’t appear to be the case that the reforms in California and Vermont will end with those states. Regardless of where the laws legally apply, consumers are coming to expect more from companies, and expect their data to be kept safe and secure.
UK and EU firms operating in the US should keep a watching brief on developments in the US, making note of any US-specific idiosyncrasies that they should build into their data protection processes. And US firms that are not currently compliant with GDPR should take immediate steps to ensure compliance. It looks as though the same principles will apply throughout the US soon enough anyway!
We hope that you have found this article useful but often some expert legal advice is needed so please feel free to contact LawBite if you have any questions or need help with drafting your contracts. You can take advantage of the free 15 minute legal consultation or the contract review service by calling the LawBite team on 0207 148 1066 or entering an enquiry here.