When it comes to consumer protection, it seems like California is the role model that other states are looking up to.
From net neutrality to data security and privacy, the Bear Republic has been the leading US state to impose draconian rules. The state passed a sweeping law as Gov. Jerry Brown signed the California Consumer Privacy Act (CCPA) on June 28, 2018.
The consumer privacy law will be enforced on January 1, 2020. It is considered a compilation privacy law that authorizes a consumer with new rights in correlation with their information consisting of the “right to erasure.”
The “Right to Erasure” or more commonly known as the “Right to be Forgotten” is no longer new. It started way back to the pre-GDPR times when Mario Costeja Gonzalez filed a case against Google to impede search results regarding him that detailed his earlier monetary issues. He argued that the links are off the point and ruining his reputation.
Google was held responsible and was ordered by the Court of Justice of the EuropeanUnion (CJEU) to delete incorrect, exorbitant, or insignificant links. The immunity has been later incorporated in the GDPR with restrictions including the necessity of information to accomplish a transaction or requirement to adhere to lawful responsibilities.
California has executed their own creation of the said right. The appropriate section of CCPA renders consumers the right to demand omission of their personal data. Business organization accountable to the law must disseminate this law to the consumers. It should be conveyed to consumers in a “way that is rationally obtainable.”
Similar to GDPR, the consumer’s right to deletion as covered by CCPA is not endless. Several of GDPR’s restrictions are replicated in the California law and encompass reasons on which a company can decline an erasure request. Those occasions are included when the information is:
- Required to accomplish the transaction for which it was gathered or essential to disseminate goods or services asked by the customer
- Utilized in the circumstances of the business connection with the customer
- The necessity to conduct a contract
- Adopted to determine security incidents and safeguard from malevolent, deceitful, or illicit procedures
- Asked to commit in the experimental, factual, or demographic study in the public notice
- Utilized only for internal uses that logically conforms to the customer’s anticipation
- The need to adhere to a lawful cause or suitable measures
Meanwhile, in Ohio, the Congress instituted a protection against misdemeanor claims for business organizations that are prone to the data breach if they had carried out specific data breach standards. Senate Bill 220 was enacted into law on Aug. 3 of this year and creates an absolute defense that is attainable when the business had enforced a penned cybersecurity scheme that “sensibly conforms” to particular administrative or sector cybersecurity frameworks or rules for the safeguarding of personal data. The new legislation will be implemented on Nov. 1, 2018.
In Colorado, a revision to the state law necessitates sensible data security procedures and improved breach advisory provisions. Starting Sept. 1, any business structure that operates, owns or accredits personally identifiable information (PII) need to enforce and keep rational security practices that are “relevant to the PII structure as well as the type and the stature of the business and its applications. According to the state’s House Bill 18-1128, it embodies businesses to likewise establish a written guideline for the elimination of data that contains PII, be it in paper or electronic form.
Consumers have the right to their personal data since it is theirs in the first place. Anyone who compromises others’ information should be held liable especially if the data was acquired illegally and without the consent of the owners.