As businesses grapple with compliance over the European Union’s General Data Protection Regulation (GDPR) – which went into effect on May 25 – another regulatory measure may be on the horizon for the security industry. This data privacy regulation could be adopted and enforced in one single state – California. What is unique about the potential California consumer data privacy measure is that it will not be introduced, debated or reviewed by the California State Legislature in Sacramento, nor will it be administered through traditional executive rulemaking processes. Instead, in November 2018, California voters have the opportunity to create another consumer data privacy law, tantamount to GDPR, through California’s ballot initiative process. According to the ballot initiative’s website, if enacted, the California Consumer Privacy Act of 2018 grants consumers the right to ask companies to disclose which types of personally identifiable information (PII) are being collected and sold for business purposes, the right to tell companies not to share or sell PII to third party entities and the right to take legal action against companies that may be in violation of the consumer privacy law.
SIA companies with more than $50 million in gross revenues would be required to comply. Additionally, if a company grosses under $50 million but its parent company grosses more than $50 million, the subsidiary is still required to comply. If your company uses security systems to collect, market, or sell PII for business purposes – or shares collected PII with a third party that might do the same, your company will most likely be required to comply. The larger issue here is that if this initiative passes, it may lead to other states adopting similar legislative language. This would create regulatory complexities for member companies. SIA is actively monitoring the California ballot initiative and would welcome membership input on how SIA should approach the California Consumer Privacy Act of 2018. If you have any additional questions or comments, please email Joe Hoellerer at firstname.lastname@example.org.
Kathleen Carroll is the managing partner at Seven Seas Consulting and serves as the chairwoman for SIA’s Data Privacy Advisory Board.