Californian companies have to contend with new privacy law on the horizon in 2019 just as they were getting used to the 2018 European Union’s General Data Protection Regulation (GDPR). After last year’s big push for GDPR compliance, you can expect the same, or perhaps more, pressure from the government to adopt the CCPA, a new law governing data, that was passed by ballot initiative.
The CCPA is intended for Californian companies that collect residents’ personal information. However, amidst all the hubbub and activity around its adoption, many companies still do not understand the new requirements or how to navigate them.
What is the Reason Behind the Californian Privacy Law?
The new CCPA law explains the reasons behind its enactment in its findings and declarations. You see, unlike the European Union that has put in place a set of cohesive data privacy requirements to be followed by all industry stakeholders, the US has no such industry requirements.
Ergo, realizing the massive security breach that that exists in the industry, and the fact that the Internet has significantly changed privacy rights, an NGO called Californians for Consumer Privacy forwarded their detailed suggestions to the state’s Attorney General in November 2017.
The move led to the creation and adoption of the CCPA that intends to protect compromised consumer data in the event of a data breach. The state’s legislature passed the bill in June 2018. Later on September 23, 2018, the governor signed the amendments made to the California Civil Code, which enforced the measure.
What the CCPA Means to Your Business
The CCPA focuses more on consumer-controlled data as opposed to networks, systems, and software. The CCPA is slated to become effective on January 1, 2020, what’s more, the Attorney General is expected to publish additional regulations in line with the new requirements between January 1, 2020, and July 2, 2020, to clarify the law.
Any business that meets at least one of the following three requirements automatically falls under the new CCPA regulatory umbrella. Non-profit entities are exempt.
- It must generate over $25 million in annual gross revenue.
- The company must receive or share the personal information of over 50,000 California residents.
- It must earn at least half of its revenue from dealing in, or selling, California residents’ personal information.
The Implications of the CCPA
The language used in the CCPA borrows heavily from the GDPR. What’s more, the new California privacy laws intend to protect the state’s residents and apply to businesses both inside and outside the state. For instance, an Ohio-based online company that sells California resident information and meets any of the three requirements stated above falls subject to the CCPA.
Since the California Civil Code incorporates the CCPA, any business that suffers a data security breach resulting in the improper disclosure of consumer information will be liable for lawsuits.
Here, a court of law can set statutory damages between $100 and $750 per resident and incident, as actual damages (if present), or any other relief it determines. You can incur fines of up to $7,500 for an intentional violation and $2,500 for unintentional ones.
Categories of Personal Information
The CCPA defines 12 consumer information categories that businesses need to document. These are:
- Real name, alias, account name, email address, postal address, unique ID, social security number, IP address, passport number, or anything similar.
- Anything that is considered personal information under Civil Code 1798.80.
- Anything related to race, gender, ethnicity, or other protected class information under California or federal law.
- Commercial information including products or services, property records, or purchasing histories.
- Biometric data.
- Any information collected from network or Internet activity such as search history; browsing history; or any other application, website, or advertisement interaction.
- Geolocation data.
- Audio, visual, thermal, olfactory, electronic, or similar information.
- Psychometric information.
- Professional or employment information.
- Inferences made based on any of the above ten information types.
- Any of the above information categories collected for minors or children.
The Provision of Personal Information Upon Request
Upon customer requests, you will be required to provide the different types of personal information you collect. Ergo, all businesses that collect data from California residents must provide, at the minimum, a website and a toll-free number where residents can request their information. After that, the companies are required to disclose and deliver the requested information within 45 days.
The Right to Know about Disclosed or Sold Personal Information
Under the CCPA, if a business discloses or sells consumer information to a vendor, the consumer in question can request the information category involved. Moreover, companies will be required to provide third-party identities and their contact information as well. After that, the business has to explain the business purpose, if any, for the sale or disclosure.
Complying with the Disclosure and the Right to Know Requirements
All businesses that fall under the CCPA must verify all customer information requests, which means linking the personal information a business collected to the information a consumer provides. Also, you must identify the information category collected for the preceding 12 months.
As stated above, if you sell or disclose consumer information, you must provide the names and contacts for the third party as well as the information categories involved in the transaction for the preceding 12 months.
The Right to Opt Out of the Sale of Personal Information
All businesses that transact in personal data must provide the related consumers with the option of saying no; thus, you cannot sell consumer information unless otherwise directed.
CCPA stipulates the essence of your consumers’ “right to opt out.” Therefore, you are obligated to comply with this requirement by clearly and conspicuously stipulating on your homepage a “Do Not Sell My Personal Information” link. You need to spell this out for your consumers literally.
Although the CCPA does not mandate businesses to add this link to their website, it does specify that if you chose not to add the link on your primary website, you need to maintain a secondary site for Californian residents. On your page, you need to outline your privacy policies as well as California-specific rights descriptions. Further, the “Do Not Sell” page should link to a California-specific page that details CCPA opt out and consumer privacy rights.
How a GRC Management Solution Enables CCPA Compliance
Once the CCPA come into effect, compliance will require extensive documentation collection, storage, and retrieval. CCPA compliance will also require extensive communication between external and internal stakeholders. An effective Governance, Risk, and Compliance (GRC) Management Solution can help your business delegate tasks and follow progress made to ensure compliance and completion.
The CCPA’s 45-day timeline, further, puts a strain on your company’s resources hence the need for a solution that allows you to monitor all consumer request fulfillment activities and ensure compliance. A GRC’s task prioritization mechanism enables you to review your workflows, mitigate cyber risks, and review your internal controls that maintain opt-in and opt-out information. Finally, a GRC solution acts as a single information source which is helpful during information audits.
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. You can learn more at ReciprocityLabs.com.