By now you’ve probably heard of GDPR, the strict data privacy standards that went into effect in Europe this year. But did you know that similar standards are coming to the US? Last June, the state of California passed the California Consumer Privacy Act, which will go into effect on January 1, 2020.
According to David Reim, chief privacy officer at DMD, the law will apply to businesses with annual revenue that exceeds $25 million or that utilize data on 50,000 or more Californians, among other conditions. In his Digital Pharma East presentation from the main stage, Reim reported that the law broadly defines personally identifiable information (PII), and requires companies that collect PII to grant users the rights to access, opt out or delete their data upon request. Fines ranging from $2,500 to $7,500 per violation may be levied. While that may sound low, imagine sending an email blast to 10,000 recipients, then discovering that the vendor who sold you the list had obtained the data improperly.
If you’re thinking “I don’t live in Europe or California, so why should I care,” the answer is because the sheer size of California’s economy means it’s probably not wise to exclude Californians from your business plan. But more importantly, now that California is leading the way on data privacy, other states are likely to follow suit. And tech companies and chambers of commerce, which once lobbied against federal rules on data privacy in the US, have switched sides on this issue. They’re so afraid of ending up with patchwork of state privacy regulations that they’re now actively lobbying for Washington to create a federal framework. According to Reim, “There’s no question we will get a GDPR-like national privacy law in the near future.”
You may also be thinking “I don’t have to do anything about the California act until 2020.” But according to Reim, the day it goes into effect internet users will be able to request any data that companies have captured on them from the preceding 12 months. So any data you capture on January 1, 2019 is fair game.
It’s time to start planning! Make sure your legal team knows they’re going to have to update your company’s privacy policy. Reim closed his presentation by recommending companies hire a third party to audit of their data practices. Then he reminded us that January 1, 2019 just over two months away.