January 3, 2019
The California Consumer Privacy Act
In the world of data security ensuring consumer privacy and security is a vital part of how any business or organization should handle the storage of proprietary information. Consumers share data such as their driver’s license number, address, social security numbers, and much more with business and organizations. When information such as this is not protected, it can cause a slew of problems such as identity theft. General data protection is only the first step; privacy policies are continually evolving causing compliance to change. Privacy protection is a big deal in any business for the owner as well as the consumer. A lack of security procedures and measures causes a lack of trust for the consumer. Consumers’ rights are important, and California is making changes to ensure they are taken seriously. California legislature has presented the CCPA of 2018 set to take effect in 2020.
“The CCPA: Applicability to the U.K., EU, and Beyond | On-Demand Webinar Recap” Scott Giordano, our VP of Data Protection, presented a webinar detailing changes and additions to the California Consumer Privacy Act (CCPA). Signed into law on June 28, 2018, the CCPA represents the most demanding state privacy regulation in the United States.
To watch the webinar on-demand, click here.
Here’s a quick overview of Scott’s presentation and analysis of CCPA:
What is CCPA?
Commonly known as California’s version of the EU’s General Data Protection Regulation (GDPR), the CCPA is much more complex, and as it is rolled out, will likely have global applicability. Officially effective on January 1, 2020, the CCPA includes GDPR-like requirements addressing the rights to access, delete, and transfer personal data with some key differences.
The consumer’s rights to access, delete, and transfer personal data within the guidelines of the current CCPA have a few principle distinctions from the GDPR. Empowering consumers with the right to prevent the sale of sensitive data to third parties is a primary difference between the two and will likely impact the business models of companies around the world.
Scott notes that it is important to realize that consumers will soon receive a flurry of notices asking to either “opt in” to the collection of data or to please “opt out” of the data collection. These notices will continue to increase as the implementation date of CCPA draws closer.
The Californians for Consumer Privacy led the ballot initiative for CCPA. The cause raised over 3 million dollars to back the ballot and try and get more effective privacy legislation in place. Many large companies such as Amazon, Facebook, and Comcast donated to the cause.
In addition to providing more regulations for how to handle personal information of California residents, it adds a change in the way someone notifies an organization of mishandling their information. Before California residents had a 30-day window to disclose to the California Attorney General for breaches in security when handling consumer data. The attorney general then also had the same 30 days to process the complaint and decide what to do with it. The consumers are now allotted the same 30-day window, but instead of being required to notify the Attorney General’s office they are now only required to inform the business at fault.
About Other Acts
In the storage of private information, there are many other acts and bills at play for consumers’ rights. For instance, a healthcare facility will have different requirements to meet opposed to other service providers. If an organization has to comply with a certain privacy law such as HIPPA, the Driver’s Privacy Act, the California Financial Information Privacy Act, or the Gramm-Leach-Billey Act are not required to comply with the CCPA. There are however some instances when the CCPA’s private right to action still applies.
What Does CCPA Mean for your Organization?
The focal point of the statute centers around businesses and what the qualifications are for being subject to the laws. It is important to understand that CCPA will apply to all businesses that collect or use personal information, not just those companies in California. Because their long-arm statute gives them an extended jurisdiction, unless you operate wholly outside of California, you will be subject to the law.
So even if you have headquarters outside the state of California and have no physical operation there, if a resident of California engages with your company, you are subject to this Act. The significance and impact of this requirement is clear, because 20 percent of the nation’s population resides in California, making it virtually impossible not to make any sort of contact with anyone in that state.
Scott also outlines how CCPA is still very much a working document but failing to prepare for it now is preparing to fail in a disastrous way in the future. What is critically important to remember moving forward is that this is not just an “IT” problem. It’s a cross-functional issue and you’ll be doing your whole company a disservice if you put this all on the IT department. To learn more about the details and insights Scott mentioned, as well as the crucial advice he gave on preparation for the CCPA, watch the entire webinar linked below.
1) While GDPR is longer, CCPA is much more complex and likely has global applicability.
2) The right to prevent the sale of data to third parties is a primary difference between the two and will likely wreck the business models of many companies.
3) Creation/update of a data inventory is the most important element of complying with both regulations.
Data privacy and consumer rights will be major issues for organizations of all types moving into 2019. We will continue to stay ahead of the changing data privacy landscape and share our insights with you on a regular basis. Knowledge is power when it comes to preparing for and adhering to continuously changing regulations.
Click here to watch the webinar recording now.
At this time the act has not yet become law but is expected to go into effect Jan.1, 2020 and as such, the act could still be amended. When the act is finalized, compliancy standards could potentially change. Checking for amendments to the CCPA as time goes on can help protect you as a consumer, or a business owner.
At Spirion we understand the vitality of consumers rights, data privacy law in association with data security, data protection practices, and the effect it on an organization. Enforcement actions have to be taken to help avoid unauthorized access to sensitive data. For help ensuring the protection of proprietary information contact us today!