With the advent of the Cyber threat always changing, many new  laws are abounding that are designed to keep the public safe.  One of the new ways in which this is happening is in the protection of our sensitive information and data.

When we think of a business losing our data, we often conjure up the images of the big Fortune 500 companies, and yes, even those retail stores like Home Depot, Target, etc., that have been so notorious with the loss of our credit card information.

But keep in mind also that it is not just the largest of the large corporations that are keeping our data . . . it is even the smallest of the small Mom and Pop shops as well.  Take this as an example.  Whenever we visit a huge shopping mall, the tendency to think that our credit card information could be stolen will more than likely cross our minds.

But what about when we visit our local florist to send a flower basket to our mom . . . do we think there about if our credit card information will get stolen?

More than likely not, because we have developed a certain level of trust with the store owner.  And, with that developed, we always assume that our private and confidential information will be safe.  But think twice about this.

This same floral shop is a much easier target for the Cyber attacker, because their lines of defense are down. After all, they probably do not have much of an IT budget to even consider owning an expensive firewall.

But more than likely, the Cyber attacker will not go after this floral shop.  Why?  They obviously want bigger fish to fry.  But small or not, even small businesses will soon be under the microscope as to how they handle and process their customer information and data.

The catalyst for all of this has been the California Consumer Privacy Act, which is set to become effective on 1/1/2020.  It impacts businesses not only that reside in the state of California, but even those that businesses that are located thousands of miles away but still have operations in California.

An example of this would be me own tech writing business.  Although I am domiciled in Illinois, if I transact business in California, I will still be subject to this law as well.

This law has the following direct impacts on these kinds of businesses:

*Those with revenue above $25 million;

*Those that collect or receive the personal information of 50,000 or more California consumers;

*Those who get at least 50% their revenue from selling personal information.

Granted, each and every small business won’t be directly impacted if they don’t meet the above criterion, but each entity will still have to make sure that their IT systems and websites can comply with consumer inquiries and requests. Of course, that will be an added cost to thousands for small companies that don’t have in-house technology staffers and that require software and consulting help.

Under this new law, consumers in California as well as those in other states will have a right to know as to what kind of information and data is being collected about them, and this includes all of the following:

* Names;

*Addresses;

*Email addresses;

*Browsing histories;

*Purchasing histories;

*Professional or employment information;

*Educational records;

*Information about travel from GPS apps and programs.

Whew.  That is one exhaustive list.  The law also permits for consumers to collect this information either via a telephone number, or by completing an online application.  Upon the completion of either or, the consumer must then get a copy of what is being collected about them.  In addition to this, consumers also have a right to request that their information and data be deleted from a businesses’ database.

This new law was modeled after the European Union’s General Data Protection Regulation, which took effect on May 25th of this year.  More information about this can be seen here:

https://www.securityweek.com/eus-new-data-protection-rules-come-effect

But, this new Californian law is still far from perfect.  For example, the California attorney general’s office must still write regulations to accompany several provisions.  There are also many differences between the various aspects of the law, and the California Legislature would need to correct them before the effective date.  Also, there is a good chance that questions about the law might need to be litigated, especially if  California can force businesses based in other states to comply with it.

But, there might be one certain industry segment that might be immune from all of this:  The software development companies that actually develop the modules needed to make all of this come together.  This is so, because as previously mentioned, consumers can fill out an application form, and from here, they can then directly see all of the information and data that is being collected about them.

While this software package will be free for consumers to access and use, it will literally costs thousands of dollars per year in order to deploy it and maintain it.  But, the harsh fact of the reality is that it is highly expected that other states will follow California in crafting related laws with regards to information data and privacy.

My thoughts on this? At first glance, my thoughts are a little muted.  I really don’t know exactly what to think quite yet.  While on one hand, I think it is great that we as consumers can finally see what is being tracked on us, I think that there needs to be yet another component to this law:

How to fight off Cyber attacks, and making businesses of all kinds and types to come into complete compliance with an established set of Security best standards and practices.

But, to make things more effective, this should be made uniform across all 50 states as they craft their own privacy rights laws.  But trying to get all 50 state governments to come to a consensus could take a long, long time to achieve.