Digital marketing professionals who are using the personal data from California consumers need to make sure that they are up-to-date on the impending restrictions associated with the California Privacy Act of 2018 that went into effect on January 1, 2020. In many ways it makes Europe’s GDPR look tame!
At its base level the bill would grant a consumer the right to request a business to disclose;
- the categories and specific pieces of personal information that it collects about the consumer,
- the categories of sources from which that information is collected,
- the business purposes for collecting or selling the information, and;
- the categories of 3rd parties with which the information is shared.
Sounds simple enough, right? However, the bill also sets out a raft of requirements (n=both digital and real-world) that the businesses must comply with in order to collect or use any “personal data” of California citizens. According to the Act – A business or a service provider shall not be required to comply with a consumer’s request to delete the consumer’s personal information if it is necessary for the business or service provider to maintain the consumer’s personal information in order to:
- Complete the transaction for which the personal information was collected, provide a good or service requested by a consumer within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
- Debug to identify and repair errors that impair existing intended functionality.
- Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act.
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.
- To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
- Comply with a legal obligation.
- Otherwise use of the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.
Sounds simple enough. Right?! We haven’t even got to the complex parts yet about “inferred” personal data. That's yet to come.