US Data Protection Law: Everything You Need to Know
There are more and more GDPR analogs in the world. Recently, a similar bill was developed in India, now the United States is next in line. California took an example from Europe, approving its own law regulating the rules for working with users’ personal data.
The California Consumer Privacy Act, or CPA, went into effect on January 1, 2020. Next, let’s look at the main provisions of the US data protection law, which was developed and adopted in just a week.
Read here to learn about data protection laws across the world.
Who falls under US data protection law?
The new law is not as harsh as the European directive, but it still implies big changes in business life. Every internet user in California has the right to demand from the company the information it has collected about him, and a list of third parties to whom it has become known.
On the basis of the same law, the user can sue an organization that unlawfully used his PD or did not fulfill any of his requests on time.
Companies that process personal data of California residents (residents can be located both in the state and outside it) and receive at least $25 million in annual income fall under the SSRA. But there is a caveat: if the company’s income is less, but it stores personal data of more than 50 thousand people, its activities fall under the SSRA.
The new law also regulates the activities of firms that receive more than half of the profit (no matter what size) from the sale of PD. The location of the organization does not matter: it does not matter whether it is located in California or outside the state.
Data privacy laws, acts, and timelines are here.
What is considered personal data?
Any identifiers, biometrics, geolocation, Internet activity history and information about employment or education are considered personal data. In general, any data that can be used to identify a person gets there.
At the same time, there are rather vague formulations in the law. For example, a personal identifier may include information about the user’s family. Just as PD classifies any information that allows you to create user profiles: whether it’s only psychological, behavioral, etc.
Read more about personal data here.
By law, the user receives a “traditional” set of rights:
- The right of access. The user can send a request and get all the information that the company has collected about him;
- The right to oblivion. The user may request to delete information about himself from the company’s servers and the servers of third parties;
- The right to know. Upon request, the company must disclose the purposes of collecting personal data and their sources;
- The right to refuse. Users can refuse to transfer their data to third parties.
Here lies an important difference from GDPR — according to the European directive, the company needs to obtain the user’s consent to the processing of PD. According to California law, an organization must only process requests from users.
If the user’s data was lost or stolen, the company will have to pay from $100 to $750 to each victim.
If the user has sent a complaint to the company about a violation related to his personal data, the company is obliged to resolve the problem within a month. Otherwise, she will be fined. Now it is 7.5 thousand dollars.
However, under the SSRA, companies are not required to disclose any facts of violations if they have not received a corresponding request from users.
The amounts of fines and payments may still change, but in any case (taking into account all the technical and legal costs) the SSRA can become a financial threat to the existence of many companies.
Do you know what online privacy lawyers do? Learn more here.
Another interesting nuance is that the law prohibits companies from discriminating against users who refuse to provide their personal data. But at the same time, it suggests the possibility of introducing a system of incentives for those who agreed.
Formally, this means (if the paragraph does not change) that companies can make discounts to those who have shared their data with third parties, and set different prices for users depending on their privacy settings.
This creates not only an interesting technological precedent but also a cultural one: de facto, the CPA forms new rules of the game, according to which companies can buy information from users that they previously received for free.
Did you hear about Hong Kong’s data protection law? Read more here.
Formally, the law came into force on January 1, 2020. But as soon as it began its operation, companies should have been able to immediately provide users with the data collected about them over the past 12 months.
Accordingly, the deadline for the implementation of all the necessary technological solutions came a year earlier — that is, in just four months.
With this approach, we can expect the first lawsuits to appear on the very first day of the directive. As it was with GDPR and lawsuits against Facebook and Google.
Is Google safe and secure to use? Learn more here.
Large IT giants are gradually, but not very openly, opposing this law. In particular, they finance a public organization that is fighting against him.
Experts believe that the law, adopted so hastily, will still be corrected and completed in two years. However, they are not sure that the changes will be significant. The main provisions are likely to remain intact.
Thus, the SSRA is the first step towards a completely new understanding of information security in America and the modification of most practices that have been considered basic and unchangeable for many years.
Use the most secure and private ecosystem not to break the law and be under reliable protection on the internet all the time. Download and install an anonymous Utopia P2P ecosystem — a decentralized and encrypted independent place for messaging, file transferring, browsing, payments, etc.
Learn more about Utopia P2P here.