July 13, 2018//Ellen NeveuxLast Updated: February 12, 2021
The European Union isn’t the only place taking the measures necessary to protect consumers and their personally identifiable information (PII). Recently, the EU was dominating the headlines when they first announced and later implemented, the General Data Protection Regulation (GDPR). But it’s time for the GDPR to share the spotlight with California. During the last week of June, California’s legislature introduced and passed new privacy legislation that has since been referred to as the “US GDPR”, but is formally named the Assembly Bill (AB) 375.
About AB 375
It’s been widely accepted that consumers are having a harder time trusting companies, even if they haven’t gone through a cyberattack, when it comes to protecting personal and sensitive information (e.g. PHI and PII). AB 375 attempts to take away this fear and mistrust toward companies by giving new privacy rights to consumers and bringing more transparency to the movement of people’s personal data. AB 375 was passed in late June of 2018 by California Governor Jerry Brown, but it won’t be in effect until January 1, 2020, where amendments and other changes can be made. Although there is time to make changes before the start of 2020, this law has been a long time coming according to one of the co-authors of the bill:
“AB 375 responds to the recent data breaches that have affected millions of people-those experienced by Target, Equifax, Cambridge Analytica, and many more, the collection of our information combined with data breaches has raised concerns from internet users worldwide.”
AB 375 for consumers and businesses
Consumers: This law gives the consumers the right to ask businesses about the types of personal information that is being collected or transmitted. Consumers can request that data be deleted from a businesses database or even initiate civil action if a consumer believes that an organization has failed to protect personal data from bad actors. Consumers will also be able to “opt out” of having their personal information sold. With all of these pieces considered, it keeps consumers both in charge and more accountable for their personal information.
Businesses: For the businesses, this means they must disclose the reason behind collecting (or selling) any of the consumer’s information. If a business is selling this information, they must also include the third-party organization that is receiving the data. Businesses are not able to treat consumers that “opt out” of having their data sold any differently than those who allow businesses to sell their information. Yes, businesses must adhere to this new law, but the ball is primarily in the consumers’ court because they’re the ones that are able to take control of their data like never before.
There’s no denying the obvious connections to the EU’s GDPR that was implemented at the end of May 2018. In fact, parts of AB 375 are very similar to GDPR regulations and both laws stem from consumers scrutiny of organizations ability to safeguard sensitive information from bad actors. Specifically related to GDPR, AB 375 gives California consumers the right to request a copy of any data that a US organization may be have stored on their databases (e.g. Social Security number, address, etc.) and consumers can even request that this information is deleted.
As we talked about in a past blog post, there are definite benefits to the GDPR that the US is currently feeling. Not only has breach reporting increased in terms of the timeline, but there has also been an increase in the breaches reported because of GDPR’s requirement that states that they must notify local data protection authorities of personal data breaches they have experienced “without undue delay and, where feasible, not later than 72 hours after having become aware of it… unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”
The GDPR has only been enforced for a little over a month (enforcement began at the end of May 2018) and changes have been felt around the world in terms of data privacy and breach reporting. For both consumers and enterprise organizations, it will be interesting to see what happens next in the world of data privacy.
Our sole focus is secure third-party remote access. For highly regulated enterprise organizations, SecureLink Enterprise has pioneered a secure remote access platform. SecureLink for enterprise allows an organization to identify, control, and audit third-party vendors. For vendors, SecureLink is the gold standard remote access support platform because it is easy, efficient, and ensures compliance and reduces liability when supporting customers.