The California Consumer Privacy Act (CCPA) is the most far-reaching privacy legislation in the United States, enacting broad rights for consumers and new compliance requirements for businesses.
The law does include some requirements to determine whether the law applies to you. However if you are doing business in California or if your organization collects the personal information of California consumers, then you should not ignore the CCPA.
Consumer rights Under CCPA
The CCPA grants rights to California residents regarding the collection of their personal information involving the right to know what information a business collects about the consumer, the right to opt of the sale of their personal information and the right to have personal information deleted (i.e. right to be forgotten) among other rights. In all, this produces new strategic, tactical and operational challenges for businesses to address ahead of the implementation of the law.
In addition to what is clearly stated in the law, there are other components of the law that have yet to be defined. For example, it has yet to be determined how amendments passed by California legislation will be applied. And it is unclear if a federal law could be passed that may preempt or supersede the CCPA.
In brief, businesses should get ready for changes, plan measures to address consumer rights and put into practice mechanisms for the protection of personal information.
If you believe the CCPA may not apply to your organization, keep in mind that the CCPA applies to holding companies and subsidiaries that share the same branding even if the smaller parts do not exceed the CCPA applicability thresholds for revenue or the types of information sharing. Further, it would only be prudent to consider your organization’s own objectives for the protection of personal information and the risks to your business without appropriate policy, procedures and controls in place for data management.
If you are interested to understand whether the CCPA applies to you, please visit our CCPA Screening Tool and answer a few key questions.
If you know the CCPA applies to you, then keep reading.
What Must You Do Immediately?
- Review your current practices for data privacy:
- Determine what data your business collects
- Determine what you do with data collected
- Determine where data resides and map how it traverses your organization
- Review your policies:
- Address disclosure requirements included in your notice of privacy practices to make known the categories of personal information collected and the purpose for use.
- Address requirements that your notice contain the categories of personal information that were collected, sold or disclosed for a business purpose in the previous year or clearly state if personal information has not been sold or disclosed.
- Prepare to comply with consumer requests—within 45 days, free of charge and in a format that is portable. Possible requests include:
- Categories and precise data elements of personal information collected
- Types of sources of collected personal information
- Business purpose for collecting, selling or disclosing information
- Types of third parties with whom personal data is shared
- Deletion of personal information about the consumer that the business has collected
- Review agreements and practices with third parties:
- Identify third parties and vendors with whom you share personal information
- Take into consideration whether your contracts include the appropriate terms for the use or disclosure of personal information shared from your business and/or to spell out explicitly that you are not selling personal information to your business partners, according to your actual data privacy practices.
- Implement critical security controls:
- Pinpoint safeguards that achieve, at least, a minimum level of information security for collecting or maintaining personal information. To determine what is appropriate consider conducting a risk assessment of your current practices. Organizations should also consider adoption of a privacy framework to guide efforts shifting from the minimum to strong privacy and security controls.
- Consider other privacy related laws:
- Consider assessment of regulations and laws in each geographic region where you are doing business to determine what additional privacy regulations exist in other jurisdictions. Even though you may be focused on CCPA there are other privacy laws, breach notification laws and regulations to which you may be subject.
Again, the first step is to gain an understanding of your current practices. Then move into actioning policy, procedures and controls to address consumer rights for the protection of personal information.
Rest assured that the CCPA and other data protection requirements aren’t going anywhere. Several states are deliberating their own privacy regulation, in addition to existing laws and regulations.
The CCPA will continue to change. The devil is in the details. And there are specific issues, for instance the limits of private right of action under the CCPA, that may not be decided before the law goes into effect. It’s likely that, in due course, these issues will be resolved in court creating precedent for others.
Inaction is unacceptable. Rigid programs risk not being able to adapt to continuing changes. The best course of action is to get started and adopt a privacy program capable of adapting to changes in the CCPA specifically and the next data privacy regulation to come.
Regulations can often be confusing, and many organizations are left unsure which regulations apply to them. To assist with this process, we’ve created a CCPA screener survey to help you determine where your organization stands. To complete the survey, click below!
CLICK TO TAKE OUR SURVEY – Know Where Your Business Stands
SecureTrust, a Trustwave division, leads the industry in innovation and processes for achieving and maintaining compliance and security. SecureTrust delivers world-class consulting, compliance and risk assessment services and solutions for the enterprise market as well as tailored merchant risk management programs and solutions for merchant program sponsors around the globe.
Contact us today for all Enterprise Compliance, Merchant Risk Management and Compliance Technology needs.
Written in collaboration by the SecureTrust team of Chris Brown, Michael Webster and Jason Likert.