SACRAMENTO, Calif. - Companies across the United States will have to take heed of a new privacy law introduced in California, according to one lawyer with expertise in this field.
Angela Doughty of North Carolina-based Ward and Smith PA said the structure of the law "makes the location of a business or company mostly irrelevant when it comes to certain privacy laws."
California Gov. Jerry Brown in June signed into law the California Consumer Privacy Act, under which consumers have a right to know the personal information a business has collected within the past year, sold to a third party or revealed for business reasons.
"Our privacy laws for personal information and data breach notification requirements are defined on a state-by-state basis and the applicability of a state privacy law to a company is determined by the residency of the individual from which the company is collecting information, not the location of the company," Doughty told the Cook County Record.
Angela Doughty Ward and Smith
All businesses, regardless of their location, can be subject to another state's privacy laws in which it collects data, Doughty said.
"California, even before the CCPA, had the most protective privacy laws and many multi-state businesses already use California-compliant privacy programs to avoid having to implement privacy programs on a state-by-state basis." the attorney said.
Doughty said other privacy laws already in place "focus on defining what qualifies as 'personal information'...and the notification requirements a business must comply with when there is a security incident or breach involving personal information."
"The new CCPA is more comprehensive as it not only contains broader personal information definitions and stricter penalties, but it also requires companies to provide consumers more control over and transparency into the data collected," Doughty said.
She said the size and population of California and its central place in a data-driven culture increases the likelihood that many businesses across the country will meet the threshold that the new law lays down.
"My initial advice to all our privacy clients is to, regardless of size, industry or applicable regulation, perform an internal evaluation to fully understand what data it collects, the reason for its collection and how the data is stored, accessed and destroyed," Doughty said.
She said "There are valid business reasons to collect personal information, but many times businesses find that much of the information collected has minimal to no value and potentially subjects them to regulations or laws that would not otherwise apply."
Doughty does not believe other states will follow California in introducing such stringent privacy laws, at least in the short term.
"However, with all the privacy breach headlines and consumer privacy advocates routinely in the national news demanding more accountability, it would not be surprising to see more states discussing some level of consumer privacy protections and moving closer to adopting laws that include some type of limits on a company's collection, storage or use of the personal information it collects," she said.
Doughty said any attempt by U.S. legislators to craft a federal privacy law "has so far been met with staunch opposition."
"Ultimately, despite the opposition, the success of this bill was due to the fear that a rejection of the bill would result in the approval of an even more restrictive (and very supported) consumer privacy law through a ballot initiative," Doughty said.