(This post originally appeared on The Guardian)
Does your business sell – or even handle – a large amount of personal information of people who live in California? If so then come 1 January 2020 you better make sure your website is in compliance with the state’s new laws. Otherwise, you could be facing stiff penalties.
Following on the heels of the 2016 European General Data Protection Regulation Act (or GDPR), which imposes rules on any company selling or gathering information online from people who live in its member countries, the new legislation in California will seek to provide its residents with additional protections over their private data and how companies collect and use it.
California consumers will soon have the right to know things like what personal information is being collected from them when they visit a site before the collection occurs. Applicable businesses must also allow those consumers to opt out of giving their information. Consumers will also have the right to require businesses to delete their personal information.
If you’re an employer in California, you’ve also got new rules to consider. “Starting January 1, 2020, employers must provide privacy notices to employees that describe what personal information will be gathered and how it will be used at or before the point of collection,” Alonzo Martinez, an associate counsel for compliance at background checking firm HireRight, writes in Forbes. Martinez says that personal information about employees “covers anything that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Businesses that don’t comply could pay dearly. The fines for civil penalties are as much as $2,500 per violation and an intentional violation could cost up to $7,500. More concerning is that the law leaves open the rights of individual consumers to take action against companies who they feel gained access or misused their personal data.
If you think your small business is off the hook just because it may not meet the requirements of the California law, then you’re being naive. According to the Norton Rose Fulbright Data Protection Report, a service providing data collection legal insight for businesses, other states like New York, Nevada, Washington, Massachusetts and even Texas are considering similar rules, with some in Congress hinting that federal legislation may not be too far off. “There’s definitely a lot of movement in this area,” Dr Iga Kozlowska, a privacy manager at Microsoft, told Event Marketer.
The takeaway is that there’s a significant trend towards protecting consumer privacy and it will affect most businesses like yours and mine, regardless of our size.
The best way to prepare is to assume that this will happen and the best model – in my opinion – is to follow the compliance guidelines of the European GDPR. To that end, confirm that you know where all the data your company is collecting about your website visitors and employees is located and how it’s secured. Make sure you’ve got the ability to access and delete this data if necessary. If your site is using cookies – those little files that get downloaded to the visitor’s device for tracking – you’ll want to ensure you’re getting permission by the visitor. You’ll also want to clarify your data-gathering privacy policies and make them fully available on your site. Other good steps are provided here.
The misuse of personal data has finally hit its tipping point and politicians in the US are beginning to take action. Your business – even if it’s a small business – will likely be affected, so it’s best to take action sooner rather than later.