Tips to Prepare Your Organization for CCPA
Get ahead of the regulation with an enterprise data analysis
- The impact of the evolving regulatory environment
- How to create and assess your data footprint
- Why secure compliance benefits your entire organization
Learn about the California Consumer Privacy Act and its larger implications for the rest of the United States in Data Protection 101, our series on the fundamentals of information security.
While it doesn’t go into effect until 2020, the California Consumer Privacy Act represents one of the most sweeping acts of legislation enacted by a U.S. state to bolster consumer privacy. Falling on the heels of the GDPR, California Consumer Privacy Act may mark the beginning of stricter U.S. consumer privacy protections.
California Consumer Privacy Act Explained
The California Consumer Privacy Act is a piece of consumer privacy legislation which passed into California law on June 28th of 2018. The bill, also known as “AB 375,” has been described by some as “almost GDPR in the US.” Far and away, this Act is the strongest privacy legislation enacted in any state at the moment, giving more power to consumers in regards to their private data. With a variety of major tech giants based in California, including Google and Facebook (both of which have recently suffered data breaches), AB 375 is poised to have far-reaching effects on data privacy. AB 375 will go into full effect on January 1st, 2020.
Companies that already comply with the GDPR may find that they currently meet many of the requirements set forth in the California Data Privacy Protection Act. With many experts predicting that other states will follow suit in the coming years, companies across the U.S. that take proactive steps today to better protect consumer data will be best equipped to ride the waves of change.
All fifty states have enacted legislation to protect consumers’ private information, but some states have more stringent laws and penalties than others. To learn about data protection laws in your state, read through the Definitive Guide to US State Data Breach Laws or view the United States Data Breach Heatmap infographic.
Key Terms of the Primary California Consumer Privacy Act Defined
There are a number of terms defined in the legislation in order to clarify the parameters of the law. Certain businesses and all Californian consumers are the two groups who fall under the provisions in the bill, defined as:
- Consumer: According to the Act, “‘Consumer’ means a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations…”
- Business: This term has a lengthy definition in the bill, which describes many typical business models and types. Three key articles to pay attention to include:
- For-profit entities which do business in California and collect personal information of consumers.
- “Has annual gross revenues in excess of twenty-five million dollars ($25,000,000)...”
- “Derives 50 percent or more of its annual revenues from selling consumers’ personal information.”
Defining “Personal Information”
Another important term loosely defined in the bill is “personal information.” According the AB 375, “The bill...would define ‘personal information’ with reference to a broad list of characteristics and behaviors, personal and commercial, as well as inferences drawn from this information.”
Dozens and perhaps hundreds of specific data items are mentioned in the legislation, including:
- Biometric data
- Household purchase data
- Family information (e.g., how many children)
- Financial information
- Sleep habits
- Specific Requests: Should a consumer desire to know what data is being collected, the company is required to provide such information — specifically about the individual. Some of the requests that can be made include:
- The categories of personal information collected
- Specific data collected about the individual
- Methods used to collect the data
- A business’ purpose for collecting the information
- Third parties to which personal information may be shared
- Deletion: If the consumer desires, personal information (with exceptions) will be deleted by the business.
- Same Service: Regardless of a consumer’s request and preferences about how their personal information is handled, businesses are required to provide “equal service and pricing…even if they [consumers] exercise their privacy rights under the Act.”
- Organized Data Collection: The bill allows consumers to request the specific information collected about them. These requests are to be provided at no cost to the consumer. Companies need to have the ability to quickly search, compile and send these reports to consumers.
- Clear, Transparent Policies: Consumers can request a report on the types of data collected, data sources, collection methods, and uses for their data. While the data itself needs to be stored in a well-constructed database, many consumer questions can be quickly answered in comprehensive privacy and data collection policies.
- Knowledge of Specific Provisions: There are clearly outlined requirements within the California Data Privacy Protection Act including things such as:
- “Provide a clear and conspicuous link on the business’ Internet homepage, titled ‘Do Not Sell My Personal Information,’ to an Internet Web page…”
- Ensure any individuals who handle consumers’ private data know and understand all pertinent regulations.
What Does the California Consumer Privacy Act Provide for Consumers?
How to Comply with the California Consumer Privacy Act
As it stands, businesses will be required to comply with any and all provisions outlined in the final version of AB 375 by January 1, 2020. Companies actively doing business in California will need to adjust their current practices to avoid violations of the law.
Many of these changes translate to a need for:
In the time leading up to full implementation in 2020, there will likely be amendments that change current provisions, remove requirements, or even add to the regulation. It is important for all businesses to work towards a safe and healthy relationship between data collection and privacy while staying up-to-date regarding new data regulations.