The new California law is a step towards the GDPR. This has much of the same intent, however, does not have the like exact goals, parameters, or negative reinforcement for not complying. Interestingly, the law requires the company to disclose the “category” of the third party receiving the consumer’s data, versus the name of the third party.
Consumers in California will, beginning on January 1, 2020 (the point at which the law takes effect), have the right to know all the data that has been collected for the individual consumer, to not allow their data to be sold, know what type of companies are receive the data, have their data deleted, the sources of the consumer data being sold, and other pertinent, germane facets of their data.
The headlines do indeed portray this as a far-reaching and direct victory for consumer rights. The general consumer thought is of this bringing the Google, Yahoo, and other internet-oriented companies to comply and be more transparent with their wishes. One should actually read the statute to garner a better understanding of the statute’s parameters. The California Consumer Privacy Act of 2018 does indeed affect businesses. As an example, section 1798.105 references a consumer’s right to request a business to delete any of the consumer’s personal information. On the initial reading, this would appear to affect all businesses collecting the personal information of a California citizen.
With this law, in general as it pertains to consumer’s data privacy, a business “...collects consumer’s personal information” (1798.140(c)(1)), has annual gross revenues greater than $25M (1798.140(c)(1)(A)), buys or receives the personal data of at least 50K consumers, households, or devices (1798.140(c)(1)(B), or derives 50% or more of the annual revenue from selling consumer’s personal information (1798.140(c)(1)(C)). As the statute is presently written, the “or” is important. Although this does narrow the potential field of companies having to comply to the statute, this would include the massive companies that comprise most of the work done in this endeavor. This statute also covers any device, which is any equipment that may connect to the internet or another device.
Embedded Devices
Embedded devices are throughout many industries and utilized with many devices consumers are in contact with daily, including vehicles. The connected vehicles have many opportunities to collect a consumer’s private information. If the person were to connect their cell phone to the vehicle with an app, the person’s contact list, smartphone call history, locations visited previously, credit card numbers, and other relevant data could be collected or in the least pass through the modules. With IoT devices, there may be present a portion of this data and other data points deemed confidential. These are only two examples of the many possible scenarios. In the present capacity, there is no legal advice and this is my opinion only, however, seemingly this new statute would apply to the embedded systems in vehicles, IoT devices, and other like devices collecting, processing, or managing a consumer’s private information and data in California. At this junction, this point is more of conjecture and to begin the thought process.
Is this were to be applicable to these systems, there would need to be completed much updating to the code for the present and future hardware, the affected policies, and noticing functions for the consumers.
Resources
California Legislative Information. (2018). Bill text - AB-375 Privacy: personal information: business. Retrieved from https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375
California Privacy. (n.d.). Californians for consumer privacy applauds successful passage of groundbreaking legislation. Retrieved from https://www.caprivacy.org/
Lecher, C. (2018, June 28). California just passed one of the toughest data privacy laws in the country. Retrieved from https://www.theverge.com/2018/6/28/17509720/california-consumer-privacy-act-legislation-law-vote
