ASG is now part of Rocket Software! Please visit to learn more. Follow our journey
Blog > August 2018 > West Coast Consumers Lead the Privacy Charge

West Coast Consumers Lead the Privacy Charge

For those still questioning if GDPR and data regulation are here to stay, look to the West Coast for confirmation. This summer, the state of California signed into law the California Consumer Privacy Act, the strictest online data privacy law to date in the U.S. While the regulation may seem like just another reaction to the GDPR, the shift toward state-wide regulation is evidence that U.S. consumers are waking up.
The GDPR and the California Consumer Privacy Act are driven by the same force — a clear need for greater regulation of personal data collected by organizations — but they respond to different issues. Whereas the GDPR focuses broadly on the protection of personal data, the California Consumer Privacy Act targets companies that are monetizing and reselling the data they collect from California-based consumers. It is more focused on consumers than specific data protection.
It is also, in essence, a law for the people, by the people. Started as a ballot initiative by California voters, the regulation is a direct response to the groundswell of attention around privacy. Today’s consumers, seemingly without specific knowledge of the GDPR, are reacting to recent security breaches and the Facebook-Cambridge Analytica scandal. They want to know who has their personal information, how they are using it and protecting it and what control they have over their own data. The California Consumer Privacy Act aims to empower and reassure consumers by granting:
  • The right to know what personal information a business has collected, where it was sourced from, what it is being used for, whether it is being disclosed or sold, and to whom
  • The right to “opt out” of allowing a business to sell personal information to third parties
  • The right to have a business delete their personal information, with some exceptions
  • The right to receive equal service and pricing from a business, even if they exercise their privacy rights under the Act
The regulation may focus on California-based consumers, but companies outside of California are not off the hook. With e-commerce and remote workplaces, companies’ digital footprints often expand beyond state borders and interact with consumers across the country. This trend toward state-based regulation has the potential to create a complex environment for companies that collect and use data (really all companies today!). Other states such as Georgia and Vermont have passed bills covering aspects of protection of personal data, and New York is revamping its cybersecurity laws. As more regulations are introduced, it will become more complicated for U.S. businesses to comply on a state by state basis. While most regulations will be compatible with one another, we’ll likely see incompatibilities and mismatches that will create a call for the standardization of data privacy protections—though this is likely years away.

In the meantime, organizations can prepare for the California Consumer Privacy Act in a similar manner as they did for the GDPR: know and understand what personal data they have, where it resides (on-premises, cloud or hybrid) and how they use it. In this case, California defines personal data more broadly than the GDPR, including metadata that describes personal information. This requires a wider approach, in which companies should:
  • Identify what data is personal data, how they use it and whether they have the right to use it
  • Establish information governance policies and systems to manage the classification, redaction, retention and destruction of personal electronic data
  • Set up maps to understand how data is changed, managed and protected within the organization
  • Change data collection to be compliant, including allowing consumers to opt out on their website
  • Prepare to notify consumers on breaches and prepare for damage claims and possible fines ($7,500 per offense) when consumers feel their privacy has been compromised
  • Ensure nondiscrimination for those consumers who opt out of data collection
  • Consider business models that will directly pay consumers for the right to use their data
These steps will only be possible with the right tools and automation. Businesses need data classification so end users are aware of any protection constraints on the data they are using. They need content services to automate the capture of consumer access requests, as well as the management, governance and deletion of electronic personal data. Finally, they should invest in automated data lineage to track how data flows through the organization and any changes that may occur along the way. That way, when complaints and audits do arise, organizations will be ready to show exactly what data they have and how they’re protecting it.
As the regulatory landscape becomes more complicated, the best way to achieve compliance is through transparency. Companies that keep track of data on an ongoing basis, and communicate clearly with consumers, will understand their business and know how to prepare for the 2020 deadline.
To learn how ASG’s Data Intelligence solution can help your company understand its data in the changing regulatory landscape, read this release. For more information on our Mobius Content Services Platform, please visit this page.  For more information on Data Intelligence capabilities for data governance and data lineage, visit this page.

Posted: 8/10/2018 8:21:02 AM by Rob Perry
Filed under :act, california, consumer, data, GDPR, information, management, privacy