California Consumer Privacy Act hits payments

Businesses across the globe have spent the better part of the past 18 months scrambling to comply with the EU’s sweeping new General Data Protection Regulation (GDPR). Yet while firms have been devoting huge chunks of their time and compliance budgets implementing new GDPR processes, lawmakers in the US state of California have just tossed a curveball in passing an equally stringent package of data protection measures – and they have serious implications for the global payments sector.

The California Consumer Privacy Act 2018 was enshrined into law on June 28, and has effectively introduced the strictest online consumer protections in American history. It applies to all businesses operating in California with an annual gross revenue of $25m or more and firms that collect and share the personal data of more than 50,000 consumers for commercial gain or companies that make more than 50% of their revenues from selling data.

Yet it’s worth pointing out the law does not simply apply to American, brick-and-mortar businesses based in California. All affiliated, co-branded entities carrying out business-related activities in the state must comply – and bearing in mind California is home to the world’s fifth biggest economy, that means a huge number of businesses across the globe have now been placed on the back foot in terms of fulfilling their legal obligations to US consumers.

First and foremost, the Act explicitly declares the rights of all Californians to demand that companies hand over copies of all personal data records, explain how data has been categorised, how it’ll be used and who’s been given access to it.

Companies must explicitly state what information is being collected and how it will be used at the point of consent, and it’s strictly prohibited to use data for any other reason unless the data subject has been notified and consented.

The Act has also introduced the right to be forgotten, meaning companies are legally required to delete all personal data relating to an individual if requested. Meanwhile, it’s restricted businesses that buy personal data from reselling that information to a third-party unless data subjects have been notified and given the chance to opt-out.

Finally, the Act imposes new rules on companies with “freemium” business models by banning refusal to deliver goods or services because someone has exercised their privacy rights. Companies retain the right to charge different prices based on a data subject’s privacy selections – but only if that difference is reasonable in relation to data value. If a firm wants to offer an incentive for submitting personal data, the individual must explicitly opt-in and subsequently be able to opt-out at any time.

The consequences of this legislation are far-reaching where payments firms are concerned – yet the necessary actions companies must take to comply almost perfectly mirror the steps firms have already taken in relation to GDPR. Basic actions such as amending online privacy statements, upgrading data security infrastructure, appointing a designated data protection team and rethinking consent and notification procedures is absolutely critical – but multinationals doing business with the EU should have already taken such steps.

Fortunately for any of those firms doing business in California that aren’t yet GDPR-ready, the California Consumer Privacy Act won’t come into effect until January 2020. Yet above all else, the global payments sector should take this development as a clear sign that regulatory convergence very well could be on the horizon where data protection laws are concerned.

Related reading