California's privacy law raises risks of legal action and fines over data collection

California is leading the way with strict new data privacy provisions and substantial fines for non-compliance from a new enforcement agency -- not everyone is ready.
Written by Tom Foremski, Contributor

California's new stricter data privacy law takes effect January 1, 2023 but companies must be ready to provide a personal data report for the prior 12 months to any California resident -- it's one of several provisions in the new law that are not well understood but could result in massive fines.

The upcoming California Privacy Rights Act (CPRA) is considered a pioneer in data privacy and it strengthens the current California Consumer Privacy Act with stricter rules. Enforcement is also beefed up with the creation of the California Privacy Protection Agency (CPPA) plus the ability of individual Californians to file suits against companies for non-compliance.

The law was passed November 2020 and it applies to any company of sufficient size that does business in California which includes online sales without requiring a physical location. 

California residents can request from a company how their personal data has been used, and for what purpose, and they can request that their personal data not be sold or demand it be deleted including any data that has been sold to third parties. 

Each company must also state if artificial intelligence was applied to any of their personal data, and if it was, what the logic was behind the AI. This is essentially asking for companies to reveal how their algorithms rank the data.

The first steps companies have to take in preparation for CPRA compliance is to know where all their data resides -- which is not an easy audit.

"Many companies have no idea where they keep all the personal data on customers," says Bill Tolson, VP of global compliance at Archive 360. "There can be copies of the data on people's laptops that aren't known about and that creates substantial risks of non-compliance."

Collecting personal data collects substantial financial risks under the new law with fines for each day of non-compliance. 

Tolson says that many companies are questioning how much value they gain from their data versus the costs of complying with the new law and the additional risks of fines from uncontrolled uses of private consumer data.  

Archive 360 recommends that data be centralized into a unified information management platform which improves security and prevents multiple copies being made and the risks of losing track of the data location. This also makes it very easy to comply with requests from California's residents. 

Other solutions include data masking which removes the identity data within a database making it impossible to create a personal data report.

Foremski's Take:

The upcoming California law is considered groundbreaking in the scope of its strict privacy provisions and it will be closely watched as other US states prepare similar versions to protect their residents.

Large companies are potentially facing a patchwork of state privacy laws which makes compliance hard to achieve and will likely result in substantial fines. Overall, it will force organizations to reassess all their data assets. 

Companies are told that "data is the new oil", and Tolson agrees but notes that oil is also an environmental hazard

Unlike oil -- private personal data can be erased and its toxicity to society eliminated in a millisecond or two. California's law could lead the way in helping to limit the use and misuse of Internet tracking technologies across the nation. 

Editorial standards