In June 2018, California passed one of the most advanced privacy laws in the US – The California Consumer Privacy Act of 2018 (AB 375). The act is hailed as a major step forward and is being compared with the General Data Privacy Regulation (GDPR) in Europe.

Upon review, AB 375 presents several challenges, not least of which is that it is not slated to go into affect until 2020, and the many big tech companies are calling for changes to provisions of the law.

What is in the law

AB 375 establishes several data privacy rights for Californian residents and, like the GDPR in Europe, this law applies to any business that sells to or has personal data on California Residents.

These data privacy rights are:

The right of Californians to know what personal information is being collected. The right of Californians to know whether their personal information is sold or disclosed and to whom. The right of Californians to say no to the sale of personal information. The right of Californians to access their personal information. The right of Californians to equal service and price, regardless of their choice to disclose personal information.

In short, AB 375 gives Californians a way to opt out of almost all secondary uses of their personal information whether for sale to data brokers, tracking or other uses not tied directly to the provision of a service.

Who must comply with AB 375?

Unlike the GDPR, California’s AB 375 privacy law only applies to a specific category of for-profit business. The organizations affected must conduct or be brand-affiliated with business within California, receive or disclose the personal information of more than 50,000 Californians and produce gross revenues of more than $25M – 50 per cent of which must be derived from the sale of personal information. This means that California not-for-profits, small businesses or even large corporations who collect below minimum required levels of personal information are not affected by this law.

What is not included in AB 375

While the California privacy law does have penalties for breaches that result from not adequately protecting information, AB 375 does not contain requirements for how businesses must protect information. This law also lacks any language to guide a court in analyzing if the data protection practices of an organization are adequate.

Impact on California market

Unlike the European GDPR, AB 375 does not contain specific instructions for Security of Processing businesses to follow. But the law does prescribe how businesses are to get consent for collecting and using personal information. Consumers cannot be discriminated against for exercising their rights.

AB 375 relies heavily on other California and federal laws to provide guidance on these areas. And, as a result, several conflicts exist with other laws – requiring further clarification through regulatory guidance or changes to AB 375 itself.

Additionally, there are still questions about how AB 375 might be amended under pressure from technology companies and privacy advocates or what supplementary regulations might be.

A logical solution

Encryption of sensitive data is key to demonstrating that information has been adequately protected under any privacy regulation or law.

Echoworx is committed to meeting the privacy and legal requirements of the countries in which it operates. Echoworx continues to add data centers around the world to ensure that data is resident as close as possible to the country or region of origin. We currently operate data centers in the US, UK, Ireland, Germany, Mexico and Canada to ensure data can be stored and maintained in accordance with the regulations and legislation that our customers are subject to.

By Brian Cole, Senior Manager of Security Operations and Support, Echoworx