Artboard 1Icon/UI/CalendarIcons/Ionic/Social/social-pinterestIcon/UI/Video-outline

California sets new standard for privacy in the US

11 February 2020

#Data & Privacy

Published by:

California sets new standard for privacy in the US

From the start of this year, the US has a new high water mark for privacy regulation. The California Consumer Privacy Act (CCPA) has come in to effect, and it can apply to entities located outside that state. 

In summary, if you are a for profit entity with revenue of more than US$25 million which does business in California and collects the personal information of consumers in that state, you will need to comply  with the new law. “Doing business” does not require a physical presence in the state.

The CCPA concept of “personal information” is broader than the definition in the Australian Privacy Principles, extending to information that “is capable of being associated with, or could reasonably be linked” with a person residing in California. The concept also applies to purchasing histories and tendencies, browsing histories and search histories. 

If the CCPA applies to your business, you must disclose the following when you collect personal information:

  • the categories of information collected and the purposes for which the information will be used
  • whether your business sells personal information and the categories of parties to which it is sold
  • that the consumer can request disclosure of the pieces of personal information the business has collected
  • that the consumer can request deletion of their personal information
  • that the consumer will not be discriminated against for exercising their rights under the law.

Plus, you must offer an “opt out” from the sale of the consumer’s information.

Some details of the legislation are still being finalised, but if your business has customers in California, you should consider the potential application of the CCPA, and look at developing systems, documentation and procedures to enable achievement of compliance as a matter of urgency. Such steps might include undertaking a data mapping exercise (to identify any data for California consumers that you hold), a possible update of you privacy policy to accommodate the requirements of the CCPA, and setting up opt out and data deletion systems in order to respond to such requests from consumers. 

Author: Dan Pearce

The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this newsletter is accurate at the date it is received or that it will continue to be accurate in the future.

Published by:

Share this