description of gif


New California Data Privacy Law: What You Need to Know

Deember 11th 2019 | by Ron Zayas

On the internet, privacy has been an endangered species for far too long. Fortunately, that trend is beginning to reverse at last.

On January 1, 2020, the California Privacy Act will officially become law. It was created to give consumers control over their personal information. It grants to them the means to access their records/data that are kept by businesses, as well as the ability to have that information deleted, the right to take that information with them and to stop the disclosure or sharing of their personal information with third parties.

It’s about time.

But if you run a for-profit business that collects customer information online, you’ve got work to do. You may need to review what information you are collecting, how it is collected and stored, and what your privacy policy should be in 2020 and beyond. Failure to consider these questions could result in fines (up to $7,500 per incident) and lawsuits. Happy New Year.

Not every company will be affected. But if your business has annual gross revenues in excess of $25 million, or buys, receives, sells or shares the personal information of 50,000 or more customers every year, it must meet the requirements of this new law.

Not based in California? Sorry – you’re still not off the hook if you have California customers.

What is Personal Information?

It’s what you would expect, and a whole lot more. Obviously names, street addresses, IP addresses, emails, social security numbers etc. meet that criteria. But the California Privacy Law says that’s just for starters. It also sets restrictions on collecting personal property records, purchasing histories, biometric and geo-location information, internet browsing and search histories, employment information, education information, and any profile information about a customer drawn from any of this data.

What Do I Need to Do?

Here’s the good news – if your business is already compliant with GDPR, you are mostly where you need to be already. If not, here’s a five step plan.

Step One: Tell visitors (in a prominent place on your site) that they have privacy rights.

Step Two: Provide two methods for consumers to make requests for information required to be disclosed, and to deliver the requested information, free of charge, to the consumer within 45 days.

Step Three: Tell your site visitors what data you collect, why you collect it, if you sell it to third parties, and what type of business those third parties are in.

Step Four: Offer customers access to the information you have collected and stored about them, and offer them the option to have that information deleted.

Do you offer workforce optimization software to call centers? Challenge people to come up with the worst possible way to greet a customer on the phone. You’ll certainly receive some hilarious responses.

Step Five: Offer customers the option of refusing to have their personal information shared or sold.

How Do I Get Started?

You have two options. The first is to tackle this challenge internally. That could mean an email to your customers about the new policies, creating compliance teams to assess the current status of your website and make changes, and training employees on new procedures.


You can hire an outside consultant – a company that specializes in compliance with the new privacy law. Yes, like us. We’ll conduct an initial risk management review, and then suggest (or implement) changes to bring data collection in line. We’ll create the consent request and express your company’s data collection and maintenance practices in the appropriate verbiage for your website visitors.

And we’ll provide best practices operating controls to assure future compliance, as well as training for your employees that handle customer data.

The New Year is just around the corner. If we can help, let’s talk.