July 16, 2018
California’s new Consumer Privacy Act of 2018 is likely to be treated as a de facto nationwide requirement, says information privacy expert Susan Goodman, a member of ARMA’s Board of Directors. That is largely because the law, passed on June 28, will apply to more than a half-million U.S. organizations that do business with California residents, most of them small or medium-sized ones, according to analysis done by the International Association of Privacy Professionals.
Goodman, the CEO of Infoflo Consulting LLC, says the new act, among other things:
- Requires organizations to disclose the type of data they collect and – upon request – with whom that data is shared
- Requires organizations to disclose to consumers their right to delete their personal data and to delete that data (with certain exceptions)
- Allows consumers to opt out of having their data sold or distributed
- Prohibits companies from treating consumers who opt out differently than those who don’t
“This law goes a long way toward operationalizing the Fair Information Practice Principles, which have been broadly adopted worldwide – especially the principles of transparency, individual participation, purpose specification, use limitation, security, and accountability,” Goodman says, and she notes that it also is in keeping with several of ARMA International’s Generally Accepted Recordkeeping Principles®.
“Many businesses have professed concern for their customers’ privacy while placing obstacles in the way of privacy protection,” she says. “This law addresses and prohibits many of these obstacles.”
Goodman says the framers of the California law clearly understood that many privacy principles and restrictions have been circumvented. For example, many organizations found ways to not technically “sell” consumers’ personal information without their consent by instead “distributing” that information for free along with another product or service for which they received payment. Given the specificity of requirements in this law, she predicts it will be much harder to continue these practices.
“Compliance with this law is going to require a significant expenditure of resources by most U.S. organizations for which the law applies,” she states. “They will need to upgrade their privacy and information security programs, systems, policies, and procedures.” After all, Goodman says, even if California residents constitute only a small percentage of their customers, it’s typically more resource-intensive to upgrade practices for just a segment of a customer base than to apply overarching practices to all customers.
Recognizing the probability of this new law being considered a de facto U.S. federal requirement for many organizations, the fact that there is great concern by the public, legislators, and courts about privacy and information security, and the reality that having solid privacy and information security programs is good business practice, even those organizations for whom the law may not be applicable would be smart to work toward compliance.
Goodman is a holder of the Information Governance Professional, Certified Records Manager, Certified Information Professional, and Certified Information Privacy Professional credentials.