What Advisors Should Know About the California Consumer Privacy Act
经过保罗·鲁登/
In May 2018, Travel Market Report发表了我的文章about the then new General Data Privacy Regulation, or GDPR, that was about to become effective with potentially far-reaching consequences. I noted that “it is impossible to be certain of the circumstances under which the GDPR will apply to specific small businesses in the U.S.” and that “the potential penalties for violation of the GDPR are life-threatening to many businesses; the upper limit is 4 percent of a company’s global sales (or $20 million, whichever is larger).”
将近一年了,到目前为止,世界末日has not happened. We know, for example, that most large companies have reissued their privacy policies with new, and substantially similar, sections devoted to general principles from GDPR. We also know that while GDPR has spawned many complaints, small businesses have not been singled out, in Europe or the U.S. Here, for example, is the reported enforcement activity so far:
- 95,000多个个人投诉涵盖电话销售,促销电子邮件,视频监视(CCTV)
- 41,000+ data breach notifications
- 255跨境调查
- 迄今为止的罚款:社交网络运营商20,000欧元;体育博彩咖啡馆5,280欧元;Google 5万欧元
惩罚并不是微不足道的,但是没有理由相信GDPR执法人员在针对小问题的小型企业中狂奔。
但是,这并不是说可以忽略GDPR。如果您在欧洲经济领域(欧盟加冰岛,列支敦士登和挪威)有实际或潜在的客户,则要确保您对个人身份信息的处理是否合规。那是个好消息。
对数据处理的担忧
坏消息是,对欧盟执法的担忧不是唯一的问题。As expected, GDPR has inspired more comprehensive privacy legislation in the U.S. In this and succeeding articles, I will elaborate on the California Consumer Privacy Act (CCPA) that becomes effective Jan. 1, 2020. It’s not too soon to begin thinking about how your agency will comply.
但是,由于几个原因,尚不应产生任何费用。有19页的“技术修正案”under consideration. Also, the California Attorney General will be issuing regulations under the Act likely between Jan. 1, 2020 and July 2, 2020. Enforcement may not begin until the earlier of six months after the final regulations are published, and July 1, 2020. You can sign up for notices related to that rulemakinghere。所有这些意味着在执法开始之前,立法可能会发生重大变化。
That said, if your business is large enough to fall under the CCPA, you likely plan well ahead for investment and strategic purposes and should at least be thinking about how you will comply with a significant increase in demands for privacy controls on the personal data your business collects and processes.
如今情况,小型旅行顾问从技术上讲根本不必遵守CCPA。CCPA针对营利性企业,年收入为2500万美元或更多,或以50,000人或更多人的数据进行交易,或从出售消费者的个人信息中获得50%或更多的收入。CCPA涵盖数据的“消费者”是“自然人”,因此排除了居住在加利福尼亚的公司。除了尺寸因素外,CCPA仅在企业收集时适用andprocesses the personal information of California residentsand在加利福尼亚州开展业务。
正如某些人对他们的悲伤所学到的那样,管理在一个州“做生意”的法律原则是复杂而深远的。例如,不需要在加利福尼亚州的身体存在来确定您在那里“做生意”。出售给加利福尼亚州居民,例如,例如电子邮件招标等数字服务就足够了。仅一个被动网站可能不会;否则,世界上每个拥有网站的公司都将被视为在加利福尼亚州“开展业务”。
Thus, if your business is below the size thresholds I have mentioned, you are not subject to the CCPA at least. If you’re above the thresholds, and serve individuals residing in California, you probably should assume, for current planning purposes, that you will be subject to the law.
About compliance
If your business is subject to either GDRP or CCPA, you have myriad issues to consider. For example, under GDPR’s requirement for clear, specific disclosure of the purposes for collecting personal data, the exact means of compliance is up to the individual company. CCPA goes further by requiring a clear and conspicuous link on the business’ homepage, reading “Do Not Sell My Personal Information.” The link must lead to a site where a consumer, or the consumer’s designee, may opt out of the sale of the consumer’s information.” If this link requirement remains in the legislation, it’s going to affect the design of the home page of every travel website subject to the law.
Another troubling element of the CCPA is the notion that “personal information” incudes “inferences drawn from any of the information … to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.” This language appears to extend the data protection regime beyond the information gathered about the individual, but also information created on the basis of that information and identifiable back to the collected data.
在接下来的文章中,我们将更详细地探讨CCPA的这些元素和其他元素。