As from January 1, 2020, the California Consumer Privacy Act came into effect as America’s first privacy law aiming at improving how much control data subjects have over their data and force them to be more transparent with how they process personal consumer data. Personal data, in this case, extends to usernames, physical addresses, contact information, IP addresses, and device identifiers.
The new law empowers consumers to access the data that companies have collected on them, demand that it can be deleted, and prevent it from being sold to third parties. CCPA is currently one of the most progressive and firmest data protection laws in US history, mirroring similar principles as the General Data Protection Regulation (GDPR) in Europe.
What Is The CCPA?
The California Consumer Privacy Act (CCPA) is state legislation enacted to strengthen privacy rights and consumer protection for California residents. Its initial propositions were from a California entrepreneur who understood the limitations of data privacy laws, including the Shine the Light Law and the California Online Privacy Protection Act, as technology and social media companies were able to gather and sell their user’s personal data for targeted online marketing.
What initially began as a voter initiative passed approval in the two chambers to become legislation aimed at protecting the collection and use of personal consumer data. Entities with an annual revenue threshold of $25million conducting business in California or with Californians should comply with the provisions of the Act.
Impact Of The Law To Internet Users
Under the provisions of the CCPA, California residents have the right to know the categories of information, including specific bits of information a company has collected, such as contact addresses and IP addresses.
The disclosure requirements could extend to all internet users across the globe and not just to Californians. It is hard for companies to alienate California residents only; hence will be forced to apply the requirement across borders.
In many ways, CCPA will strengthen data security features that some companies such as Facebook have complied with, such as the GDPR.
Rights Granted Under CCPA
CCPA protects data privacy for Californians by granting them the right to;
- Delete personal information held by businesses and related parties
- Know the type of personal information collected and how it is used, shared, or sold
- Opt-out of the sale of personal information and prevent discrimination in regards to prices and services in the event a consumer opts put
- Provide opt-in consent for children under the age of 16 and guardian consent for those below 13 years
Compliance Steps And Guidelines
Businesses covered under the provisions are expected to comply with the requirements provided under the Act in regards to data privacy before July 1, 2020, when the enforcement begins. The following steps act as a guide towards compliance
- Familiarize yourself with the CCPA Requirements
The most crucial step towards compliance is to understand each requirement of the CCPA to know the scope of your business covered. Based on the nature of your business in terms of revenues, business activity, and data handled, you will narrow your compliance scope. Taking time to read and understand the entire document will save you time and resources for when the audit commences in July
- Consider CCPPA Context
Your compliance checklist should include an overview of all other frameworks you comply with, in particular, the GDPR, with the aim of overlapping the requirements. Invest in good compliance software to help you compare and contrast the various compliance efforts so that you do not omit requirements in context.
- Map Your Data Flows
Mapping your data means conducting an in-depth analysis of knowing the source of your information, what form it takes, and where it is disseminated and used. In particular, check your vendors, business partners, and third parties to know if they comply with legal requirements as their non-compliance can trickle down to your organization. Understand your data assets and data flows before proceeding to answer any customer request to access and delete their data. An insight will financially cripple your organization.
- Convene Your CCPA Team
CCPA is complex and trying to breakdown every requirement will be a complex and daunting task for your employees. Convene a team of risk and compliance professionals, legal staff, IT experts, human resource leaders, and security teams to help your employees understand the provisions of compliance.
GDPR requires organizations to have a data protection officer to aid in the compliance process, and since CCPA is technically GDPR Lite, it would be in the best interest of your organization to have an expert to aid in compliance.
- Legal implications
Non-compliance to the requirements of CCPA attracts civil fines of $2,500 per violation and /or 7,500 if the violation is deemed intentional. To file a lawsuit against a company that has violated your consumer rights, you must be able to prove beyond a reasonable doubt that the company’s lack of reasonable security procedures and practices required to be applied to that information caused the breach of the data.
Starting July 1, 2020, the office of the attorney general in California is mandated to investigate and charge companies suspected to be in violation of the law. Before charging the business, the AG must give the company 30 days to become compliant failure to which the injunction and civil penalties are applicable.
What Is Next?
California, through CCPA, benchmarked data privacy laws in the United States. Many states are following suit to get their own data privacy laws. This puts a greater responsibility on companies gathering their user’s data, making them accountable for any mishandling.
CCPA will not only empower users but also dissociate them with collected data in the event that it is to be used, thus helping in anonymizing data. With the increasing awareness for data privacy across the globe, more data privacy acts will come into existence.
Until then, CCPA and GDPR continue to act as essential pillars of data privacy, paving the way for the global fraternity to come up with unified laws regarding data security.