California’s equivalent of the EU’s GDPR–the California Consumer Privacy Act (CCPA) — is taking the U.S. by storm. Approved in June 2018, this wide-ranging privacy regulation, not dissimilar to the GDPR in many ways, aims to strengthen privacy safeguards in the U.S. and provide people with the essential control over their data. It goes into effect Jan. 1. Here’s hoping businesses have preparations well underway to comply.
What is the California Consumer Privacy Act
Way back in 1972, the Californian Constitution was amended to include the right to privacy for its people. Over the years, various mechanisms have been put in place to protect this right. However, as time’s gone on and technology advanced and has taken a significant role in the day-to-day business and life, acknowledgment has been made that personal information is now at higher risk.
Multiple organizations process consumers’ information. Incidents like the Cambridge Analytica scandal have highlighted the pressing need for change. This incident, in particular, raised global awareness of the real risks when tens of millions of people had their personal information exploited (unaware that it was even happening).
With the CCPA, Californian legislation has been updated to deliver data privacy transformation, to bring laws up to date with the times and the requirements of people of today. Also, its aim is to align the law with technological and business practice advancements as well as to minimize the potential impacts on privacy when businesses process personal information of consumers and to allow consumers better protection and control of their information. Also, to give consumers the transparency that they need.
The CCPA is the new California Consumer Privacy Act. It gives the right of privacy to Californian residents and impacts entities that process consumer’s personal information.
Who does the CCPA impact
The Californian legislation impacts all organizations that serve Californian residents. The businesses do not need to be located in California to observe the law. Wherever it is based, if it serves Californian residents, it must comply. This is similar to the GDPR, which requires any organization processing personal information of EU citizens to observe the regulation no matter where the company resides.
Some differences between CCPA and GDPR, however, relate to which businesses are impacted. The GDPR requires all companies to comply, no matter size or revenue. The California Consumer Privacy Act, however, only affects businesses that match one of the following criteria:
- Have an annual gross revenue of over $25 million.
- Purchase, sell, or share data from more than 50,000 consumers, households, or devices. (In this case, the size of the business does not matter).
- Derives more than half of its annual revenue from the sale of consumers’ personal information.
With this in mind, the GDPR may have a broader reach than the CCPA.
The CCPA does not apply to some organizations already bound by other compliances, including health providers and insurers who must already comply with HIPAA, banks and financial institutions which fall under Gramm-Leach-Bliley and credit reporting agencies that must comply with the Fair Credit Reporting Act.
Personal information under the CCPA
The California Consumer Privacy Act pertains to personal information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
While the GDPR covers any personal data relating to an identified or identifiable data subject not necessarily a consumer, both the GDPR and CCPA are similar with regards to the information they protect (information that can be used to identify a person). However, the CCPA includes personal information that the GDPR does not (like information linked to households and devices). The information covered by the new CCPA legislation is much broader than previous regulated information. It includes additional identifiers not generally thought of as personal information (ones that “relate to” or are “reasonably linked with”).
Personal information under the CCPA (as seen in the bill) includes:
- Identifiers including real name, alias, postal address, unique personal identifier, online identifier, Internet protocol (IP) address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.
- Characteristics of protected classifications under California or federal law.
- Commercial information, including records of personal property, products, or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- Biometric information.
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet website, application, or advertisement.
- Geolocation data.
- Audio, electronic, visual, thermal, olfactory, or similar information.
- Professional or employment-related information.
- Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act.
The bill also includes inferences drawn from personal information used to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
However, personal information does not include de-identified (anonymous), aggregate consumer information and some publicly available information (like data from government records).
Considerations for CCPA compliance
Those businesses that are impacted by the CCPA should, really!, already be prepared. If not, preparations should be well underway. With the enforcement date just around the corner, businesses should have the necessary measures ready and workable to deliver on their responsibilities and react timely to the rights of the individuals affected from Jan. 1.
The rights of Californians under the CCPA allow them to exercise their privacy rights. So, businesses processing their personal data must honor these as laid out in the legislation. Businesses will need reliable technologies, and data governance policies and procedures to fulfill these adequately.
The following criteria need to be met for the CCPA:
- Consumers can request and access the information collected about them. (Information collected about them must be disclosed in advance of the collection, and no more data or information may be collected without additional consent.)
- Consumers can request to have information deleted (the right to be forgotten).
- Businesses must disclose the categories of information and purposes of data collected.
- Companies selling customer information must provide details about the categories and to whom the data is being sold.
- Consumers can opt-out of information being sold to a third party.
- Businesses will not discriminate against consumers that exercise their privacy rights under the CCPA.
- Businesses should respond to an information request within 45 days and have a free and clear route for consumers to exercise their privacy rights (instructions on a webpage or a free number to call)
- Businesses that sell information must provide a clear and conspicuous link on their website titled “Do Not Sell My Personal Information.”
- Businesses must provide access to online privacy policies and California-specific descriptions.
- Businesses must provide awareness training for employees about the CCPA.
- Businesses need to provide a clear way for consumers to opt-out.
- Businesses need to provide a means for consumers to authorize a person solely to opt-out on their behalf.
- Consumers impacted by a breach of their personal information through unauthorized access to inaptly protected personal information can submit a claim to the attorney general which can result in damages between $100 and $750 per customer or per incident.
- Noncompliance with the CCPA may result in fines up to $7,500 per violation.
Steps to compliance
To fulfill the obligations of the CCPA, the business must consider its existing data inventory (the data that it holds and processes) as well as record-keeping processes used. It needs to identify and classify its data assets. Determine where the personal information resides and determine its security risk. Determine whether the data is necessary to keep and, if not, as it’s always good practice to only store what is needed, securely remove unnecessary data (by doing this you remove any unnecessary risk). Keep the data inventory up to date by continually reviewing and managing it.
Put procedures in place or make the necessary changes to existing ones so that the business can react to the request on consumers’ privacy rights as laid out in the legislation. Controlling access to the data is vital for its protection. Implement the appropriate permissions and limit access to data wherever possible.
Ensure that a system is in place to manage and monitor the data so that any attempt of unauthorized access can be detected and responded to. Stay abreast of cyber threats, review controls continuously and adjust as needed to maintain security.
It’s imperative and should be a priority, to educate and train all employees on proper data handling and the consequences of inapt data processing. This needs to be relevant, continuous and encouraged from the top down. Without this, the policies and procedures in place will not be sufficient. If staff is not putting these into practice, what’s documented is futile.
Seek the necessary support. If this means getting expert advice from consultants with more experience or pursuing legal services to move the process forward-do so. Not every business has the resources on hand and may need to look outside of the business itself.
A New Year, new legislation
A businesses existing security maturity level and data protection and governance strategies will determine its readiness for the CCPA. So, it is important to approach CCPA compliance by considering the organization’s existing degree of preparedness. An assessment can be undertaken to determine this.
On a positive note, those businesses already complying with the GDPR should find that many of the aspects of the CCPA may already be addressed. As the GDPR requires strong security and privacy controls — and, perhaps, with only a few adjustments or additions, CCPA compliance may be in close reach. Those that do not already comply with the GDPR may have a lot more work to do.