Don't miss the first-ever virtual, month-long Global Workforce Symposium. Register now!

Learn More

California Data Privacy Act Takes Effect

On 1 January 2020, the California Data Privacy Act took full effect. Enforcement of the Act will begin on 1 July.

On 28 June 2018, California became the first U.S. state to adopt its own data privacy regulation. The California Consumer Privacy Act of 2018 (AB 375) applies to for-profit companies that either 1) have annual revenue of more than $25 million, 2) handle information of 50,000 or more consumers or 3) make 50% or more income from selling information. The law allows Californians to 1) determine what data is being collected,  2) see what data is be provided to third parties, 3) prevent the sale of their data, 4) access their data, and 5) control their data without penalty.

The law covers the data of California residents who can sue for the breach of their data for the amount of $100 to $750 per incident. The California Attorney General can also bring suit for breaches of data.

The law covers the data of California residents who can sue for the breach of their data for the amount of $100 to $750 per incident. The California Attorney General can also bring suit for breaches of data.

Specifics of the Five Rights

The first right gives the consumer the authority to find out the categories of information as well as the specific information a business is collecting about him or her. When collecting personal information, a business is required to notify a consumer about the categories of information being collected. Similar to the first right, the second right also allows the consumer not only to find out what information about them is being collected but also what information of theirs is being sold and the categories of third parties purchasing their data. The consumer also has the right, with several exceptions pertaining to the use of their data, to request that their information be deleted.

The third right allows the consumer to not have their data sold. Businesses are required to include a link on its homepage to a webpage entitled “Do not sell my personal information,” which allows the consumer to opt out of allowing their information to be sold. The business must also provide, if available, its online privacy policy and the privacy rights of the consumer under California law. If the business believes the consumer is under 16 years of age, the business cannot sell their data without their consent, and those under 13 must have guardian consent.

As part of the fourth right, the consumer can request specific information from the business, which has to fulfill the request free of charge up to twice a year. The business must provide two or more means for the consumer to submit requests for their information.

The fifth right prevents the business from treating a consumer differently if the consumer invokes any of their rights to control their personal information. For instance, a business cannot charge the consumer a different price, provide an inferior level of quality or deny the sale of goods or services. The Act does, however, allow the business to compensate the consumer for allowing the business to collect or sell his or her information.

Read More

How This Impacts Mobility

The new law will apply directly to most Relocation Management Companies (RMCs) as well as many corporate members. However, as with most other industries, subcontractors to RMCs and companies transferring employees will also be impacted, as RMCs will require third parties to adhere to the law as well. RMC contracts will likely require that suppliers comply with the law when the relocation involves a California resident.

Bill Tehan is Partner at Ruder Ware and Chief Legal Counsel of Graebel.

Tristan North is Worldwide ERC® Government Affairs Adviser.

Advertisement