Protecting and securing your customers’ data is a critical requirement of running a business. You may already have data protection policies in place to respond to the EU’s General Data Protection Regulation (GDPR), which was to be implemented in May 2018. While GDPR affected many U.S. based companies, the most extensive consumer privacy legislation in the United States is the California Consumer Privacy Act (CCPA). Thus, it has been dubbed by some as “California GDPR” or “GDPR Lite.”
What is CCPA?
Enacted on January 1, 2020, the California Consumer Privacy Act (CCPA) was created to protect the information of California consumer residents. Like other privacy laws, CCPA includes some basic tenets of data protection as well as provisions to notify data subjects about the uses of their data. The enforcement of CCPA will begin on July 1, 2020.
Who needs to comply with CCPA?
The CCPA applies to any for-profit entity doing business in California that collects and controls the processing of a customer’s personal information and satisfies any one of the following criteria:
- Annual gross revenues of at least $25 million
- Obtains personal information of at least 50,000 California residents, households, and/or devices per year
- At least 50% of the annual revenue is generated from the sales of California residents’ personal information
There are exceptions and nuances to CCPA as CCPA does not supersede other federal regulations. For example, CCPA would not supersede regulations such as a Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA). Thus, data subject to HIPAA or GLBA will be protected against the HIPAA and GLBA requirements and not CCPA.
Does your organization need changes?
Data privacy is a new norm across the globe. While the U.S. federal government has passed laws targeted at select areas of data privacy, such as CAN-SPAM for email spam, the CCPA is the first of its kind in the U.S. to codify privacy protections for California consumer residents. Other states like Massachusetts, Minnesota, Pennsylvania, and New York, are drafting their own privacy laws that closely mimic California’s standard. It’s clear that businesses should consider CCPA when thinking of their organization’s forward movement as it may matter even more in the future.
What data is covered by CCPA?
CCPA defines personal data as any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information may include but is not limited to name, email address, IP address, professional, and other information.
There was an amendment in October 2019 that changed how employment information was considered under CCPA. There were 19 amendments as of the end of October 2019 and more were released February 7th and 10th of this year.
What can you do to prepare for CCPA?
Below are few items to consider when preparing your business to be compliant with CCPA’s requirements:
- Update your privacy notice, privacy policies, and procedures
- Document data flows and processes that could be impacted by CCPA
- Implement controls to address consumer rights requests
- Educate and train your employees on CCPA
- Perform a risk analysis of affected areas and processes
- Strategize a roadmap for ongoing compliance and implementation