California’s new data privacy law, which will take effect January 1, 2020, along with Vermont’s data broker laws which became effective May 22, 2018, is just the beginning of the privacy wave sweeping the U.S. In a nutshell, the California Consumer Privacy Act (CCPA) will entitle people to know the types of personal information that businesses collect about them, and give them the right to disallow the sale of their personal data to other parties.
Although the effective date for the CCPA seems far away, it’s imperative for companies to start preparing now to avoid headaches and costly fines.
Here’s the deal:
The CCPA was developed based on the GDPR. As stated in AB-375, voters in 1972 amended the California Constitution to include privacy as an inalienable right. The CCPA expands this to include digital data, stating, “Fundamental to this right of privacy is the ability of individuals to control the use, including the sale of their personal information.”
The policy itself cites previous attempts to safeguard the privacy of California citizens.
But here’s the kicker:
Nothing like the CCPA has been attempted before.
Quick definitions before we dive in:
Like any law that’s passed, CCPA has specific definitions that are important to know so you can fully understand the reaches of the law.
Businesses are defined as those that collect information on Californians and meet 1 or more of the following:
Personal information is defined as:
Consumers have a right to deletion; however, there are some important exceptions.
Businesses do not have to comply with a request if there is a need to maintain the data in order to:
If a business discriminates against consumers for exercising their rights from the CCPA, they will be in violation of the act. The CCPA defines service discrimination as the following:
The passing of the CCPA is part of a global trend pushing companies toward greater accountability to protect consumer data. It has also set the stage for other states to implement their own personal data and consumer rights laws.
"While this law just covers California currently, large companies will soon have to offer similar rights to Americans."
Alastair Mactaggart, chief proponent of the CCPA
Below are the critical reasons your company should address compliance for the CCPA and prepare for future regulations.
The CCPA will require companies to include the following in their privacy notices:
Companies will have to know what personal information they are storing on Californians’, every place it lives in their systems, and if that information abides with their current retention policies.
Companies need to implement protocols to handle all consumer requests regarding their personal data. Consumers have the right to request a detailed record of data that a business holds on them as well as information about what is being done with their data in terms of both business use and third-party sharing. This record must cover the previous 12 months from receipt of the request and consumers must receive their request from the business within 45 days of placing it.
To ensure that you cover all your bases, let’s review some of the steps to do this.
Companies need to go beyond the bare minimum requirements when protecting data breaches from external criminals and internal sources. Consider your vulnerabilities and work to mitigate the risk of an attack.
The CCPA will disrupt your current data supply chain in some way and you should be prepared. Companies that use third-party data processors need to ensure they are meeting CCPA compliance. Third-parties may not always be located in the state of California or even in the United States, so it is important to make clear what is at stake for non-compliance and ensure the they do not hinder your ability to meet compliance with the CCPA.
Ensure your third-party vendors do the following:
With the California Attourney Generals Office holding public hearings to get input on the CCPA it’s safe to say that this is an evolving bill that will continue to grow and change over the next 12 months. Auritas can help your company not only become compliant with CCPA and GDPR, but also stay up-to-date with important changes to both of these laws that may impact your business.
For more information, please contact one of our CCPA & GDPR experts at CCPA@auritas.com.
Interested in more? Click here to view our CCPA webinar!
2018 was the year of data breaches. Companies such as Facebook, Google, Uber, and Marriott were all splashed across front pages and in every major news cycle due to unethical data practices or unauthorized access by third parties.