Read the Beforeitsnews.com story here. Advertise at Before It's News here.
Profile image
By China Law Blog
Contributor profile | More stories
Story Views
Now:
Last hour:
Last 24 hours:
Total:

Incoming (and Existing) California Laws Spell Big Changes for International Companies

% of readers think this story is Fact. Add your two cents.


Many of our China clients sell their products and services to the United State. And because nearly all of those companies sell to California, the China Law Blog editors asked me to write about how California’s rapidly advancing privacy and data security laws. I have been tasked with this because I am a data privacy law attorney in our firm’s Los Angeles office and a Certified Information Privacy Professional and much of my work involves helping foreign companies navigate U.S. data privacy laws.

In the past few years, California has adopted the most sweeping and broad privacy and data security laws in the United States. California has taken up the task of creating a massive shift in data privacy and security laws similar to what the European Union did with its General Data Protection Regulation (or “GDPR”). These new laws will undoubtedly affect businesses throughout the United States, and even the world, because they are targeted to data affecting California consumers—regardless of where the businesses holding that data reside. So, it is critical for businesses from around the world to understand these laws and modify their data practices accordingly.

It is also important for international companies to understand this isn’t just a problem for some time in the future. There are current laws (again, mostly in California) that require them to adopt data security and privacy controls, which in our experience many companies are not even aware of. This post examines some of the more important laws on the horizon, as well as ones that already exist.

California Consumer Privacy Act

The California Consumer Privacy Act (or “CCPA”) was approved by the California Governor as Assembly Bill 375 in June 2018, which was subsequently amended on September 23, 2018 via Senate Bill 1121 (another possible statutory amendment is currently under consideration, and the California Attorney General is in the process of implementing regulations pursuant to the law).

The CCPA will take full effect in January 2020 and is by far the most sweeping privacy law in the history of the United States and is comparable in scope to GDPR, a law of which virtually every international business is aware.

In a nutshell, CCPA was intended to give California residents very expansive rights to seek information from certain “businesses” which collect the California residents’ data, and request deletion or modification of that data. Businesses are also not permitted to discriminated against customers who exercise any of the rights identified in CCPA. It’s not very clear what the specific criteria are for determining which businesses qualify. That’s because “business” is defined to include businesses that:

(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.

(B) Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.

(C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

Right off the bat, it’s clear that many businesses won’t hit the (A) or (C) thresholds. But (B) is extremely vaguely written and could subject many medium or large (and even some small) businesses to the CCPA’s reach. The lack of clarity could mean that it’s safer for some businesses to just assume that the law applies to them and act accordingly.

This is an over-simplification of the very complex CCPA, but the point is that consumers will have a great deal of leverage over qualifying businesses when the law takes full effect. In many senses the CCPA is like the GDPR. But there are many differences too, so it’s important to consult with counsel who is versed in both jurisdictions’ laws and regulations.

I would be remiss if I did not mention the possibility that CCPA will be preempted by a future federal privacy law. But even if that happens, there will still be some sea change on the horizon with which businesses must familiarize themselves and comply.

California’s Internet of Things Law

In late September 2018, the California Governor approved of SB-327, the first information security law in the U.S. specifically targeting the Internet of Things (“IoT”). SB-327 takes effect on January 1, 2020, and will require manufacturers of connected devices—essentially, devices in the IoT—to equip them with “reasonable” security measures. These security measures must be appropriate to the nature of the devices and information they collect and contain and must be designed to protect the devices from unauthorized access, destruction, use, modification, or disclosure. SB-327 also requires devices that can be accessed outside of a local area network either to be equipped with a unique password or to allow a user to generate its own password.

SB-327 really only affects “manufacturers” of IoT devices—not distributors, retail sellers, or customers. For many businesses that rely on, sell, or use IoT devices, no real changes in operations may be necessary. But that term “manufacturers” is extraordinarily broad and may touch businesses halfway around the world.  The term is defined to include any business that manufactures—either itself or through a contracting third party—qualifying devices that will be sold or offered for sale in California. Crucially, there is no threshold for product sales in California. Consequently, any manufacturer, anywhere, could be subject to SB-327.

Complying with SB-327 may be as simple as assigning randomly generated passwords to each device or re-tooling software or firmware to provide more robust security protection. But for some manufacturers—especially of devices that gather or contain sensitive information—compliance may be more involved and may require a ground-up reinvention. Consultation with counsel is always the best step towards compliance.

Existing Law

The CCPA and SB-327 are still a ways out, but that doesn’t mean that international—or even other U.S. businesses—are off the hook. There are a host of privacy laws around the country that apply.

For example, website operators outside of California may need to comply with the California Online Privacy Protection Act and conspicuously post a website privacy policy containing statutorily required disclosures if they own or operate a website that advertises to, services, or in many cases is simply accessible by California residents. This requirement applies when a website collects “personally identifiable information” about California consumers, including first and last name, home or other address, email address, telephone number, Social Security number, or any other information that would permit a person to contact a website user (either physically or online). Such a policy may be required even for businesses located in distant areas of the United States just by virtue of the fact that its website can collect this information.

Many states—including, obviously, California—also have some kind of information security standard. These laws usually require businesses holding some kind of statutorily defined “personal information” to adopt reasonable security measures.

These are just a few examples. The point is that data security shouldn’t be an afterthought for international businesses. They should be proactive and get ahead of the curve because, like it or not, these laws are here and they are only getting more comprehensive.

We will be discussing the practical aspects of Chinese law and how it impacts business there. We will be telling you what works and what does not and what you as a businessperson can do to use the law to your advantage. Our aim is to assist businesses already in China or planning to go into China, not to break new ground in legal theory or policy.


Source: https://www.chinalawblog.com/2019/03/incoming-and-existing-california-laws-spell-big-changes-for-international-companies.html


Before It’s News® is a community of individuals who report on what’s going on around them, from all around the world.

Anyone can join.
Anyone can contribute.
Anyone can become informed about their world.

"United We Stand" Click Here To Create Your Personal Citizen Journalist Account Today, Be Sure To Invite Your Friends.

Please Help Support BeforeitsNews by trying our Natural Health Products below!


Order by Phone at 888-809-8385 or online at https://mitocopper.com M - F 9am to 5pm EST

Order by Phone at 866-388-7003 or online at https://www.herbanomic.com M - F 9am to 5pm EST

Order by Phone at 866-388-7003 or online at https://www.herbanomics.com M - F 9am to 5pm EST


Humic & Fulvic Trace Minerals Complex - Nature's most important supplement! Vivid Dreams again!

HNEX HydroNano EXtracellular Water - Improve immune system health and reduce inflammation.

Ultimate Clinical Potency Curcumin - Natural pain relief, reduce inflammation and so much more.

MitoCopper - Bioavailable Copper destroys pathogens and gives you more energy. (See Blood Video)

Oxy Powder - Natural Colon Cleanser!  Cleans out toxic buildup with oxygen!

Nascent Iodine - Promotes detoxification, mental focus and thyroid health.

Smart Meter Cover -  Reduces Smart Meter radiation by 96%! (See Video).

Report abuse

    Comments

    Your Comments
    Question   Razz  Sad   Evil  Exclaim  Smile  Redface  Biggrin  Surprised  Eek   Confused   Cool  LOL   Mad   Twisted  Rolleyes   Wink  Idea  Arrow  Neutral  Cry   Mr. Green

    MOST RECENT
    Load more ...

    SignUp

    Login

    Newsletter

    Email this story
    Email this story

    If you really want to ban this commenter, please write down the reason:

    If you really want to disable all recommended stories, click on OK button. After that, you will be redirect to your options page.