Why should California based businesses care about a European Union law? In English, it translates as the “General Data Protection Regulation”, which regulates the ownership and transfer of personal/consumer data inside and outside of the European Union.
It dictates that any company or organization that will collect, process, or transmit personal data has technical and policy measures in place to protect the data.
It requires that companies clearly point out when data is collected, the purpose for collecting or processing the data, be transparent about policies such as how long the data is retained, and crucially, if the business plans to share that data with partners or third parties.
It allows any consumer to request and receive a data collection policy of the company and requires known data breaches to be reported within 72 hours. This law became a model for similar laws that were adopted in multiple countries in South America, Asia, Africa, and the US (we will discuss the CCPA soon.)
However, the question remains. Do US businesses have to comply?
If your company has, does, or ever will have a customer or vendor that is within the European Union, you will fall under it’s jurisdiction. European Courts can cause you many headaches if any of your customers or website visitors (if you are a media company) come from the EU. This can include actions such as seizing your materials, products, shipments, etc; when the go through EU areas. If you visit the EU, you can be fined when not in compliance, if it has been ordered.
If the matter is serious enough, there are international courts through which actions can be brought. Obviously, if your company has bank accounts, customers using EU bank accounts to
pay you, representatives, or facilities in the EU, they are all subject to EU court jurisdiction. With 1 to 1.5 Trillion Dollars in trade between the US & EU each year, there are more than a few California businesses affected. (A few unusual example is the $57 Million dollar fine against Google, and other large fines against Marriott hotel chains and British Air.)
Gracefully, companies with less than 250 employees are not required to maintain specific records of their data processing activities.
What if you say, “whew, none of those apply to me. I do not have to worry about complying!”
That’s excellent for you, however, California Consumer Privacy Act went into effect in 2020, which now means any California based business (and because state orders can be domesticated from any other US state,) many more millions of US business now faces litigation liability if it does not comply with these data protection principles.