What is ACCP? California data privacy law could improve US business

[ad_1]

Friday, September 13 will mark the end of the California legislative agenda and, with it, the latest opportunity for the technology sector to end the California Consumer Protection Act (CCPA), a landmark privacy law to come into force next year. Despite the tremendous pressure from Silicon Valley, efforts have been in vain, meaning that in the New Year, Californians – and all Americans in fact – will begin to benefit from a wide range of protection rights. of privacy.

On January 1, the historic data law will come into force, subjecting US companies to a radical change in privacy regulations. After this date, Americans will be able to ask companies to disclose the personal data they have collected about them and also ask them to delete them. The law will have serious repercussions on technology giants such as Google and Facebook, as well as on retailers like Macy's and Walmart.

The deadline of September 13 also marks the end of an era in which the United States has challenged a change in global privacy standards and allowed US companies to transform their privacy. consumer data data. This has contributed to a series of computer disasters, ranging from the massive violation of Equifax to Facebook's Analytica scandal, and left many Americans helpless to protect themselves.

In interviews with Fortunethose familiar with the law, including lawyers, activists and industry leaders, have all predicted that the new rules would have significant effects on US companies and privacy standards. However, there is considerable confusion as to how the law will be enforced and the burden this will have on US companies. What follows is a simple English explanation of the law, the policy that governs it, and how it will affect businesses and consumers.

What is ACCP and why is it such a big problem?

The CCPA will allow consumers to compel businesses to tell them what personal information they have collected. It also allows consumers to oblige companies to delete such data or to prohibit them from sharing it with third parties. In the meantime, companies will have to do more to inform consumers from the very beginning of the data they collect. (Here is a summary of the "five new rights" on your personal data).

This is important because, until now, companies could do what they wanted with consumer data. In the event that they are hacked (like Equifax or Target) or do something really sneaky with the data (like Facebook and third-party marketers), a regulator could come in after the fact to punish companies. But there were few consumers could do it in advance. Now, it's a brand new baseball game, because Americans will benefit from protections similar to those that Europeans have obtained through the privacy law known as the GDPR.

In practice, this means that consumers will be able to ask anyone from Google to Starbucks to disclose the data they collect, simply by using a website or phone number. These companies will also have to put a button "Do not sell my personal information" on their websites and delete the data if a consumer asks them. Finally, businesses will not be able to deny services or charge higher prices if a consumer exercises these rights.

Why am I hearing about CACP now?

Although the Data Privacy Act was signed more than a year ago, many people expected the corporate lobby, especially Big Tech, to remove or neutralize it before the entry into force of the CCPA in January 2020. These people predicted that Silicon Valley would persuade Congress to write a federal law that nullified the CCPA, or at least persuaded the Sacramento legislatures to do so. exempt the technology sector. That did not happen.

As reported by Bloomberg, the technology sector made a last-ditch effort to reduce the bill this month, but efforts have been unsuccessful. The deadline for submitting the amendments was last Friday and the only changes proposed were minor changes. The bottom line: ACCP is almost certain to come into force in January.

Does the CCPA apply only to California?

Technically yes. It's a state law that applies to companies doing business in California. But as the law on data privacy concerns traders from outside states that sell to Californians – or even post a website – companies will comply with the CCPA rather than withdraw from the world's fifth largest economy . And rather than creating separate systems, lawyers agree that companies will only be applying APCC at the national level, particularly in light of major trends in society for the protection of privacy.

"In reality, it is a national law," says Jeffrey Neuberger, privacy expert at Proskauer Law Firm. "Will companies use a different standard for their California and New York customers?"

Should every company enforce California's data privacy law?

No, ACCP only applies to large companies or those who sell data as an essential part of their business. More specifically, there are three types of businesses that are covered: companies with gross revenues of more than $ 25 million, businesses with data for more than 50,000 consumers and businesses generating more than 50% of their revenues selling consumption data (data data). brokers).

What kind of data can consumers request and delete?

Nowadays, businesses have more than just your name, address and e-mail. With applications and websites following what we buy and where we go, many have created detailed profiles that accurately describe who the consumers are.

The CCPA has a non-exhaustive list of "personal data" that a company must disclose – and delete upon request. The list includes: biometrics, internet browsing information, products purchased or considered for purchase, geolocation data, academic and professional information and inferences drawn to create a profile on the individual reflecting his or her preferences.

What does compliance with ACCP mean for businesses?

A big headache especially. While companies face similar obligations to comply with European GDPR law, compliance with the ACCP will involve updating their privacy policies in the US and many other tasks including try to determine the data they have on customers.

"It will be expensive, distracting and time consuming," says Neuberger. "This will require reengineering on how people treat the data."

In the case of companies such as Facebook and Google, which rely on the analysis of personal data to sell targeted advertising, compliance with the ACCP could pose a serious threat to their business model if millions of people demand to see and delete the data that they hold. The disclosures could also draw attention to the extent of information gathering by information technology companies and add more weight to the current political reaction against Silicon Valley. Although the technology giants did not comment directly to the CCPA, they expressed their dissatisfaction through the intermediary of a trade group.

"The policy around CCPA has unfortunately overwhelmed sensible policy discussions and prevented this historic law from becoming the best law on privacy protection," said Kevin McKinley, director of the Internet Association. , Fortune.

Small businesses have their own compliance issues. For example, the owner of a minor baseball team in Sacramento with email addresses per 100,000 customers said at the the Wall Street newspaper he fears to be wrongly accused of storing information that he does not have. Some companies are worried about how to compile disparate customer data at one location, others worry about crooks by using the CCPA disclosure rules to fraudulently obtain personal information about from other people. Finally, compliance with ACCP could make it more difficult for start-ups to start up businesses.

"If you limit the flow of data, it will protect privacy, but will entail costs for startups to enter the market," said Alysa Hutnik, a lawyer who has written extensively on the CCPA for Kelley Drye. .

What happens if a company does not comply with the CCPA?

That's the million dollar question. While privacy advocates extol the goals of the law, many are wondering how it will be enforced. The CCPA is seeking fines of up to $ 7,500 for intentional offenses, but is appealing to the California Attorney General for enforcement. Meanwhile, individual consumers can sue for $ 100 to $ 750 in case a company is negligent and gets hacked. However, the CCPA also contains a controversial "treatment" provision that allows a company to assume any liability if it takes steps to remedy the data breach.

Critics say that in practice California AG does not have the resources to enforce such a law, and companies will resort to the "cure" provision if they are not respected. Meanwhile, class action lawyers – who typically take the lead in privacy cases – may be reluctant to bring cases before the ACPCC, in part because of the "cure" rule.

"We feel that it's a catastrophic law because it scares businesses and costs them a ton of money," said Jay Edelson, who heads one company. major class action groups in the area of privacy protection. "But for us, it's totally helpless."

Kelley Drye's Hutnik, however, predicts that plaintiffs' lawyers will find creative ways to still bring a class action lawsuit. She says this could include cases based on misleading advertising or unfair commercial practices.

Everyone agrees for the moment that the law enforcement part of the law is confusing and that it will be up to the judges to give guidance. on how it should work in practice.

Will ACCP make a difference to the privacy of American data?

Yes. Despite Edelson's and others' concerns that the CCPA would be too difficult to enforce, thousands of companies are already making changes to their data policies. And as early as January, consumers will be able to see for the first time exactly what businesses are collecting – and ask them to remove it.

The CACP should also encourage Congress to adopt a federal version of the Data Protection Act. In the past, privacy advocates feared that the technology sector would use federal law to dilute the California version. But today, the political mood has changed, said Hutnik, adding that California lawmakers, including House Speaker Nancy Pelosi, will block anything that weakens the CCAC. .

More generally, the new law will change the way companies view data in the first place. In the past, companies have adopted a "data is gold" mentality and have made an effort to collect as much personal information as possible, but this is changing, says Hayley Tsukayama, an activist of the Electronic Frontier Foundation.

"I hope the law will encourage businesses to think more carefully about what they collect and how to keep it," she said.