California’s new data privacy law and your business

In June, California passed a consumer privacy law that could soon affect many organizations in Illinois and elsewhere that are deemed to conduct business in California.

Likened to the European Union’s General Data Protection Regulation (GDPR), the new privacy law gives California consumers the right to know what personal information a business has collected about them, including where it was sourced from and how that information is being used. 

Consumers have new privacy rights, including to opt-out of having their information sold;  to have their information deleted; and to receive equal service and pricing – even if they exercise their privacy rights.

To comply, businesses will need to provide a specifically worded opt-out link on their home page and provide at least two ways for consumers to submit disclosure requests, including a toll-free phone number. Businesses will have 45 days to disclose their data sharing practices following a consumer request. 

The act is slated to go into effect in 2020 and will apply to for-profit businesses that collect and control California residents’ personal information and meet any one of the following criteria:

(1)  have annual gross revenues greater than $25 million;

(2)  buy, receive, sell, or share personal information of 50,000 or more California consumers annually; or

(3)  derive 50 percent or more of their annual revenues from selling consumers’ personal information.

Although these criteria mean that most small businesses will not have to comply, the International Association of Privacy Professionals (IAPP) estimates that more than 500,000 U.S. businesses will be affected by the privacy law.