It all leads back to GDPR. If you aren’t in the know on GDPR you better get informed in a hurry as data privacy laws are expanding on a global stage. The General Data Protection Regulation (GDPR) was passed into law in May 2018. In June of that year, California's privacy laws were passed and came into effect on January 1, 2020.
Previously, there were no clear data privacy laws in the US. Tech companies could be sued for violating antitrust laws or lying to consumers, but there was no legal basis for protecting personal data. Data collection went virtually unregulated, and multiple attempts at legislation failed.
Through initiatives and referendums, citizens of many US states can place new legislation. In 2017, Alastair Mactaggart, a California-based real estate developer concerned about data privacy, circumvented the normal process to avoid California's tech lobby.
The Facebook Cambridge Analytica scandal broke the following year, and data privacy hogged the headlines. If the initiative made it onto the ballot, the tech lobby and legislators worried that a 70% majority would be required to change the law since it seemed sure to be passed. They then passed their version.
The California Consumer Protection Act (CCPA) is similar to the GDPR, granting California consumers rights over how their personally identifiable information (PII) is collected, stored, and used by businesses.
The CCPA regulations guide the implementation of the act. Consumers now have the right to see all personal information a company has on them, how it is used, and the third parties with whom the data is shared. In addition, customers can sue companies if their privacy is violated, whether there is a breach or not.
Businesses must notify the consumer of the types of data they will collect at the time of the request and provide the information they've collected upon request. A business has 45 days to respond and 12 months to provide the requested information.
Consumers have the right to delete personal information collected about them (with some exceptions). Businesses are not required to provide an online form for data deletion, so consumers may have to assert this right by telephoning or emailing. Once received, companies have 45 days to respond to requests (they can extend this period by 45 days if they send a notice to that effect.)
Consumers can opt-out of the sale of their personal information. By default, children under 16 are protected from the sale of their information and must opt-in to have their personal information sold. If under 13, a parent or guardian must give explicit consent on the child's behalf.
The legislation further guarantees consumers may not be discriminated against for exercising their CCPA rights. Businesses cannot change the quality of products or services or charge different prices if the consumer exercises any of their rights. But incentives like discounts can be offered in exchange for a consumer's personal information.
According to the act, data covered by the act is defined as any information which can identify or relate to or might be linked, whether directly or indirectly, with a particular consumer or household.
Apart from the obvious like your name, email address, driver's license number, passport, and social security number, PII also includes biometric data (including the outline or face shape, the image of the iris, digital fingerprints), purchase and browsing histories, voice recordings, geolocation data, and your IP address, and the profiles that advertisers like Google build on consumers.
The CCPA originally included employee and consumer data, but a subsequent amendment exempts employee data from the regulation.
All kinds of businesses are subject to CCPA regulations. They must be registered on the Attorney General's website if they:
Since the US lacks a national data law, and California is its largest state, the CCPA's repercussions have been felt all over the US, with major tech companies like Microsoft announcing that the changes it had made to comply with California's privacy laws would apply to all users in the US.
Whether a company has its base or a physical presence in the state is immaterial. Because the CCPA has extraterritorial reach, they do not have to be based in the US to be subject to the act.
Other businesses and organizations within the US are also not subject to the regulations of the CCPA, including non-profits and government agencies.
The California Attorney General enforces CCPA compliance. Individuals cannot sue businesses for CCPA violations, except in the case of a data breach that has resulted in the theft of non-encrypted, non-redacted personal information. But individuals can register a consumer complaint with the Attorney General's office if they believe a business has violated the CCPA. The Attorney General may then launch an investigation and take legal action.
The penalties for non-compliance are high. Once regulators notify them of a violation, companies have 30 days to comply. If the company fails to act within 30 days, the Attorney General might take civil action, including imposing an injunction and a civil penalty of $2,500 for each violation. If the violation is considered intentional, that might rise to $7,500 for each violation.
Several states have been working on their privacy legislation since California's privacy laws came into being. As of June 2021, privacy legislation was in committee in Illinois, Massachusetts, New York, North Carolina, Pennsylvania, and Texas. In addition to California, comprehensive consumer laws have been enacted in Colorado, Virginia, Connecticut and Utah.
The US is a patchwork of rules, with no generally applicable federal privacy law except concerning children. Under the Children's Online Privacy Protection Act (COPPA), federal requirements govern online information collected from children under thirteen. Also, at a federal level, consumer privacy is protected under the Federal Trade Commission (FTC) via regulation of unfair competition. Deceptive practices or acts are covered under Section 5 of the FTC Act.
There are also sector-specific privacy requirements (e.g., about the financial sector, telecommunications sector, healthcare providers, and rules applicable to using credit reporting information).
Domestically, financial data is protected under different regulations on banking data, credit reporting, and financial privacy. Health data is the domain of the Health Insurance Portability and Accountability Act (HIPPA).
Meanwhile, the Freedom of Information Act allows the public to request the disclosure of information held by public agencies. However, public agencies do not need to disclose certain types of information that fall under one of the act's exemptions. Suppose any information under one of the nine exemptions is contained in part of a document, video, audio, or image. In that case, agencies need to redact such information before sharing them with the public.
Redaction means censoring or obscuring a part of a file (text, audio, image, document, video.) Before a file is released, redaction should be performed to hide information contained within for security, legal or compliance purposes.
Hiding information in a single image is easy, but not when thousands of images or video footage exist. People, faces, vehicles, audio, license plates, healthcare records, identity card, and financial and other confidential information such as symbols and logos must all be obscured by blurring or pixelating.
Video redaction tools enable even someone without video editing experience to easily create redacted versions of video files without affecting the original file so that CCTV surveillance and other footage are compliant.
How can you stay on top of California's privacy laws?
Businesses can't afford to expose themselves or their customers' data. If they do not secure their business's data management system and certify that they have met all state law requirements, they face huge penalties. With affordable monthly subscriptions and free onboarding, don’t let cost and time be an excuse.
Sighthound Redactor offers smart video redaction solutions for businesses, local and state government enterprises, healthcare, education, law enforcement agencies, and manufacturing, financial, and banking industries. With several deployment options that fit the quantity and quality of videos businesses capture, there is sure to be a solution that can be personalized to any business needs.
Redact Customer Faces with Sighthound Redactor
Businesses should start planning for what will eventually be global industry standards for consumer data privacy standards and be ready to comply when new privacy regulations become more widespread. In today's information-driven world, an organization that cannot manage its data will cease to exist. The only way to ensure a future in the market is to safeguard data, become proactive in privacy legislation awareness, and understand the various options for data redaction solutions.
To find out more about how Sighthound Redactor can save time, money, and stress in making your business compliant, contact us today!