A big change in data privacy protection is ramping up in California, and many Florida businesses will soon feel its effects.
Beginning this month, large businesses around the country that operate in California must disclose to their Golden State customers who ask for it any data the companies collect about them. Those customers can then request that the information be deleted or demand that it not be sold. Companies that fail to comply could face significant fees and penalties.
“Companies put themselves at risk if they develop a wait-and-see attitude” to the law, said Jack Clabby, a cybersecurity and privacy attorney in Tampa.
The law, called the “California Consumer Privacy Act,” is the first sweeping data privacy measure in the country. It is intended to give consumers more control over their personal data at a time when breaches are rampant and personal information is mined, sold and used in ways consumers have little say over. A recently proposed Florida bill seeks to take similar steps for consumer data privacy.
“The logistical challenges, independent of the legal challenges, are a significant undertaking for businesses who have to comply with the (act),” said Clabby, a lawyer with Carlton Fields, of the California law.
The law applies to for-profit companies that operate in California and meet one of three criteria: They have a gross annual revenue of at least $25 million; they buy, sell or share personal information for at least 50,000 California consumers; or they make at least half of their annual revenue by selling consumer data.
According to Clabby, hundreds of Florida businesses are expected to be affected by the law, including dozens of Tampa Bay-area companies.
The companies that the law covers are mostly large private and public companies with significant reach. A report by California’s attorney general estimated that compliance will cost businesses roughly $55 billion initially, and the U.S. Department of Justice expects between 15,000 and 400,000 businesses to be affected nationwide.
Fines for failing to comply range from $2,500 to $7,500 per violation.
California’s law provides a broad umbrella for what constitutes personal information, going beyond the typical name and driver’s license number to include information such as internet browser history, geolocation data and audio.
“All those kinds of information can be associated with a person and contain intensely private information,” said Jacob Snow, an attorney for the American Civil Liberties Union of Northern California who focuses on technology.
One of the most significant aspects of the California law is a clause that gives the state’s consumers the right to sue over a data breach that meets certain criteria. If they are successful, companies who expose consumer data could be forced to pay between $100 and $750 per Californian affected by a breach and any other fees the court deems appropriate.
California’s approach is starkly different from Florida’s. Like most states, Florida has few laws regulating data privacy. None allow consumers to fully understand where their data lives and to take it back as California’s does, though the Sunshine State does have a law requiring businesses to notify consumers after a data breach of a certain size.
“Outside of that, there isn’t anything that really requires (companies) to take reasonable measures to protect personally identifiable information,” said Sri Sridharan, director of Cyber Florida, the cybersecurity center housed at the University of South Florida.
A bill proposed recently by Sen. Doug Broxson, R-Gulf Breeze, would get Florida slightly closer to California’s law by requiring websites to tell Florida consumers what personal information it collects and let them opt out of the sale of their data.
According to Clabby, many Florida businesses may not even realize they could be subject to California’s law.
“There were companies who 12 months ago were aware of this and steadily worked toward compliance,” he said. But, “there are companies who found out about it only recently and will have to do some hustling to get themselves where they need to be.”
The regulation is widely considered to be the first in what will likely be a tide of similar state laws and potential federal legislation. That means companies will need to figure out how to comply with multiple laws and still do business effectively.
“You could end up with a federal floor and then still have different states that set different levels of privacy protections for consumers, even if those privacy levels conflict,” Clabby said. “It’s not what the regulation is, it’s having certainty so companies can plan their business activities.”
Some companies are expected to take a segmented approach for now, where they would have one division for California and one for the rest of the country, as many do to comply with Europe’s significantly more stringent data privacy laws.
Others, such as Microsoft, are complying with California’s law and offering the same protections to customers around the country.