Emerging Markets Law

2020: The Year of Personal Privacy

2020 circuit board

In case you have not heard the news, 2020 ushered in a new law in California (the California Consumer Privacy Act, or CCPA) that gives consumers the right to know, upfront, what personal information companies collect about them. It also gives consumers the right to demand a copy of their information, to require that a company delete information it has collected, and to opt out of having their data sold to third parties.

The last three years have brought a fundamental shift to privacy as a legal matter. Prior to 2018, the default model for most companies collecting data online was to slap up a privacy policy and collect and use any information they wanted. Consumers had no right to know what was collected or where it went. Companies like Facebook and Google, which do not require consumers to pay for their services, made billions of dollars by collecting, mining, and trading the information of their consumers.

The CCPA and, in 2018, a similar privacy “bill of rights” in Europe (called the General Data Protection Regulation, or GDPR) have flipped the model. As is often the case, the new regulations (1) arguably go too far in correcting the imbalance perceived by the regulators and (2) contain a number of ambiguities. As a result, many U.S. companies must achieve compliance, even small companies, companies not based in California, and companies that only sell to corporate customers rather than to consumers. In addition, what constitutes “compliance” may be open to question for the first few years of the new laws’ existence.

If you handle any information about human consumers – whether they are your customers or the clients of your corporate customers – you may be subject to the new CCPA requirements or other similar laws. Failure to comply comes with the risk of fines, regulatory investigation and lawsuits (another new consumer right created by the CCPA). Not complying will also make it harder to pass B2B security reviews at contract renewal and RFP time. In addition, there is a possibility that the new privacy rules will apply to data about your own employees starting in 2021. In short, there is a lot of reason to review and upgrade your privacy and security practices in 2020. The CCPA will not be the last state law we see in this area.

Stay Connected

Subscribe to blog updates via email