New Law May Force Small Businesses to Reveal Data Practices
8.8.18 securityweek Security
NEW YORK (AP) — A Rhode Island software company that sells primarily to businesses is nonetheless making sure it complies with a strict California law about consumers' privacy.
AVTECH Software is preparing for what some say is the wave of the future: laws requiring businesses to be upfront with customers about how they use personal information. California has already passed a law requiring businesses to disclose what they do with people's personal information and giving consumers more control over how their data is used — even the right to have it deleted from companies' computers.
Privacy rights have gotten more attention since news earlier this year that the data firm Cambridge Analytica improperly accessed Facebook user information. New regulations also took effect in Europe.
For AVTECH, which makes software to control building environmental issues, preparing now makes sense not only to lay the groundwork for future expansion, but to reassure customers increasingly uneasy about what happens to their personal information.
"People will look at who they're dealing with and who they're making purchases from," says Russell Benoit, marketing manager for the Warren, Rhode Island-based company.
Aware that California was likely to enact a data law, AVTECH began reviewing how it handles customer information last year. Although most of the company's customers are businesses, it expects it will increase its sales to consumers.
While it may yet face legal challenges, the California Consumer Privacy Act is set to take effect Jan. 1, 2020. It covers companies that conduct business in California and that fit one of three categories: Those with revenue above $25 million; those that collect or receive the personal information of 50,000 or more California consumers, households or electronic devices; and those who get at least half their revenue from selling personal information.
Although many small businesses may be exempt, those subject to the law will have to ensure their systems and websites can comply with consumer inquiries and requests. That may be an added cost of thousands for small companies that don't have in-house technology staffers and need software and consulting help.
Under California's law, consumers have the right to know what personal information companies collect from them, why it's collected and who the businesses share, transfer or sell it to. That information includes names, addresses, email addresses, browsing histories, purchasing histories, professional or employment information, educational records and information about travel from GPS apps and programs. Companies must give consumers at least two ways to find out their information, including a toll-free phone number and an online form, and companies must also give consumers a copy of the information they've collected.
Consumers also have the right to have their information deleted from companies' computer systems, and to opt out of having the information sold or shared.
The law was modeled on the European Union's General Data Protection Regulation, which took effect May 25. The California Legislature passed its law to prevent a more stringent proposed law from being placed on the November election ballot.
Frank Samson hopes the California law will help prevent what he sees as troubling marketing tactics by some in his industry, taking care of senior citizens. When people inquire about senior care companies online, it's sometimes on sites run by brokers rather than care providers themselves.
"It may be in the fine print, or it may not be: We're going to be taking your info and sending it out to a bunch of people," says Samson, founder of Petaluma, California-based Senior Care Authority.
That steers many would-be clients to just a handful of companies, he says, and can mean seniors and families get bombarded with calls while dealing with stressful situations.
But many unknowns remain about the California law. The state attorney general's office must write regulations to accompany several provisions. There are inconsistencies between different sections of the law, and the Legislature would need to correct them, says Mark Brennan, an attorney with Hogan Lovells in Washington, D.C., who specializes in technology and consumer protection laws. Questions about the law might need to be litigated, including whether California can force businesses based in other states to comply, Brennan says. There are similar questions about the European GDPR.
In the meantime, small business owners who want to start figuring out if they're likely to be subject to the California law and GDPR can talk to attorneys and technology consultants who deal with privacy rights. Brennan suggests companies contact professional and industry organizations that are gathering information about the laws and how to comply.
Some small businesses may benefit, such as any developing software tied to the law. Among other things, the software is designed to allow companies and customers to see what information has been gathered, who has access to it and who it has been shared with.
The software, expected to stay free for consumers, could cost companies into the thousands of dollars a year depending on their size, says Andy Sambandam, CEO of Clarip, one of the software makers. But, he says, "over time, the price is going to come down."
And other states are expected to adopt similar laws.
"This is the direction the country is going in," says Campbell Hutcheson, chief compliance officer with Datto, an information technology firm.