Business Guidance for the California Consumer Privacy Act

EXPLANATION AND BRIEF HISTORY

The California privacy law, called the California Consumer Privacy Act (CCPA) of 2018, and also referred to as AB 375, was legislatively passed on June 28, 2018, to take effect from January 1, 2020. The bill which was signed into law by the Governor of California, Jerry Brown, is set to change and better monitor how businesses handle people’s personal information and data in California, the most populous state in the United States of America.

The law quickly came about as a result of a citizens’ initiative that the California legislative wanted to avoid. California citizens can use ballot initiatives to propose new laws and constitutional amendments without necessarily going through the legislative process. Once the new law was passed, the sponsors of the citizens’ initiative agreed to withdraw the initiative from the ballot.

The CCPA will give customers more control over their personal data. It requires that, upon customers’ requests, companies and businesses collecting and holding personal information report to the customers certain specifics about their personal data that has been collected. The reports must include for what purpose their data was collected and which third-parties have received their personal data.

HOW IT RELATES TO THE GDPR

Compared to the General Data Protection Regulation (GDPR), which is a regulation set up in the European Union on data protection and privacy for all individuals within the Union, the California Consumer Privacy Act is both more strict and broader as it requires more data privacy protections as well as requirements than the GDPR. Jeff Brown, the Vice President of Imperezzio (a technology software company serving the insurance industry), says this new GDPR-like-but-tougher privacy law, is “a natural progression of GDPR.” Because the CCPA enables customers to understand and control their data, he describes it as a social rights issue. The key difference between the European Union’s GDPR and the new California law according to Joshua Motta, the CEO of Coalition, is that while fines and penalties are not insurable under the GDPR, they are under the California privacy law.

Both data privacy laws provide consumers with greater access and control over the personal data businesses collect from them. Stronger consumer rights and significant fines put more pressure on organizations to ensure the sensitive personal data they collect is fully accounted for and protected. Whereas previous privacy laws often relate to the general protection of data, the GDPR and CCPA extend data privacy to individual consumers, creating new complexities to data governance programs and increasing the need for accurate sensitive data discovery solutions.

Note that the GDPR and the CCPA have one other distinguishing difference. According to the GDPR, companies and businesses are strictly required to provide an opt-in consent mechanism for the use of customer data, while with the California law, customers and individuals must request disclosure of who is using their information and can then choose to opt out.

IMPACT TO BUSINESSES

Since the passage of this law has, after being approved by a majority of voters as well as the legislative, some guidelines must be followed by profit-making businesses in California regardless whether they are technology or internet based. Organizations affected by this law include every business that has a minimum annual total revenue of $25 million, or holds personal information of at least 50,000 people for commercial purposes, or sells customers’ personal information and derives 50% of its revenue from the sales. The same law also applies to extensions or affiliations of these businesses, whether physically located in California or not. The new law lays out the rights of customers for their personal data in several categories to be disclosed and provided them by businesses when requested:

  • Categories of personal information collected about customers
  • Categories of sources from which the personal information is collected
  • Business or commercial purpose for which the customers’ information is collected or sold
  • Categories of third parties with whom the businesses or companies share customers’ personal information
  • Specific pieces of personal information the third parties have collected about the customers

In terms of business compliance and preparedness, companies will have to implement new infrastructures to handle customer requests better. Companies’ websites will also have to be modified to include a section where customers can opt out, choosing not to have their personal information sold by the company. In that section there has to be in a clear and conspicuous form, appearing on the businesses’ websites or homepages with the title “Do Not Sell My Personal Information.” While the CCPA does not expressly provide information describing whether or not companies or businesses legally can either charge customers differently or provide a different level or quality of goods or services to customers who choose to exercise their rights under the new law, it is unlikely those business practices will be allowed.

This law will require that businesses be more accountable in their collection and use of customers’ personal information and if not well understood and carefully followed, may be potentially liable. Businesses and companies, therefore, must carry insurance against incidences of infractions. The California Governor, Jerry Brown, also advised businesses and companies in California to create a new internal position of a Data Protection Officer who has needed the expertise needed to help them comply with the law.

Upon enforcement, a legal battle against the CCPA may follow in court. As the law seems to affect small businesses most adversely, it may have negative implications for them in the long run. However, the law targets practices of technology companies and the data systems that many customers do not know about and so affords more privacy protection for individuals. The new law has received national interest, and other states are expected to follow California’s lead in adopting new data privacy laws.

IMPACT ON CONSUMERS

The CCPA serves individuals and consumers well served. Once implemented, people can take note of new rights the California law provides them and may choose to exercise them. The law includes the right they have to be informed about their data. Individuals must be able to access their data in a concise, transparent, intelligible and easily accessible form. The law also includes the right to rectification, right to erasure (right to be forgotten), right to restrict processing, right to opt out of further collection and usage and the right to sue companies for damages. The law makes it possible for individuals to take charge and be in control of their personal information. Customers and businesses’ partners can start preparing now for the new law coming into effect in California soon.

PREPARING FOR COMPLIANCE

Organizations need to make adequate preparations to comply with the law. Businesses must update their terms of service, their privacy policy and cookie policy, proving that they take the security of their customers’ data and their business infrastructure very seriously. Also, organizations should work towards fulfilling the privacy law regulations by establishing a lawful basis to backup all their customer data processing activities.

Organizations must also update their information security and data breach procedures and processes to address the new data rights introduced by the CCPA and optimally should consider leveraging the power of technology solutions whenever possible. The first step organizations can take is verifying what sensitive data they collect and where that data is located. The first step can be a daunting and challenging task for any business. Most organizations are well served to utilize the help of data discovery and data classification tools to help identify and locate sensitive personal data across their entire organization. Once an organization has inventoried the sensitive data they collect, they can take the necessary steps to ensure the privacy of the data, usually through data masking or encryption. Data masking and encryption are the next steps toward breach prevention. Businesses can also take advantage of breach detection tools that monitor the behavior of users and individuals accessing the data, detecting breach attempts early. Understanding the various data compliance tools available to businesses will help them decide how to best prepare for CCPA compliance.

To learn how Dataguise DgSecure provides enterprise software solutions for compliance with the California Consumer Privacy Act of 2018, contact us here to schedule a free demo!