The California Consumer Privacy Act (CCPA) AB 375 will come into effect on January 1, 2020. The CCPA was created with the same intention as of the EU’s well-known General Data Protection Regulation (GDPR). This will keep a check on the way businesses collect private information online from the California-based citizen.
What CCPA Defines?
As per the new AB 375 allows all/any California consumer can openly demand to see any/all of the information a company has collected & saved (online/offline) about them. The consumer can also ask to have detailed information about the way this information will be used by the companies and further the information about the third parties, with whom this saved data will be shared anyway. Incase any consumer feels a threat to his privacy or finds a company violating the defined privacy laws, he can sue the company.
The CCPA empowers the Californian consumers with these following rights to:
- Have transparency on what personal data a business has collected about them.
- Know if the personal information they have provided to the business is being sold or disclosed.
- Know with whom the business is sharing or may share their collected personal information.
- Refuse the sharing of their personal information (whole/partial.)
- Access their provided personal information to business, to check if it has stored right.
A PwC-sponsored survey of CIOs at companies with at least $1 billion in revenues conducted by a third-party firm the first week of October found that 43% will spend over $10 million getting ready for the California Consumer Privacy Act (CCPA)—with 20% topping $100 million.
Who Needs To Comply With The CCPA When It Comes To Effect?
Legal, for-profit entities that operate in California and collect consumers’ personal information will be responsible for complying to the CCPA if they meet any of these stipulations:
- Have at least $25 million gross revenue.
- Collect, buy, sell, or distribute consumer data from at least 50,000 consumers.
- Sell personal data (collected from users) to generate the majority of their annual revenue.
NOTE: The Act is not for companies based in California or have a physical presence in the US. All companies who serve California consumers and collect data in a way or another fall under this law.
How CCPA Defines Personal Information?
The CCPA defines the personal information of any consumer that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The ‘Personal Information” includes
- Name, postal address, contact number, unique personal identifier, IP address, email address, bank details, any account name, passport number, social security number, driver’s license number, or other information that identifies an individual.
- Commercial information; such as Information about personal property, buying records (products or services), other payment or transactional records.
- Information collected from the Internet or other electronic media including browsing history, search history, cookies, interacting with any business/person online, form filling, online subscriptions, aviling discounts/coupons, sending applications, clicking on ads, or making online transactions.
- Geolocation data;
- Biometric information;
Further, personal information could include educational information, family background, professional history, and so on. The definition of ‘Personal Information’ in CCPA is quite broad and covers almost every bit of information about California’s residents.
The CCPA Preparation
If your business is already GDPR compliance, then it’s a cakewalk for you to get compliance with the CCPA. In case you were not following GDPR, it could be a tough call for you, as you need to start from scratch, but believe us, it is now vital to follow CCPA guidelines.
You need to have a good overall plan for carrying the CCPA’s security and privacy laws. Here is what you need to practice, to go hand in hand with the upcoming CCPA rules.
- Organize and clean up your data assets: Explore your database and identify the personal information (CCPA) is stored. Analyze properly to see if there is any risk by checking the access permissions.
- Segregate the rarely used data: To go further, dig deeper into the CCPA personal data and identify data/folders that are not in regular use or are rarely accessed. Decide on whether to refind, archive, or delete this data as the stale personal data will only increase the unnecessary security risk.
After checking the personal data and their permissions, work on the data security measures. You should limit the data access to those who actually need that data in performing their job. This is known as ‘Role-based Access Controls.’
Implement a data security program to have a full-time check on any outside threats or unauthorized access to the personal data saved.
Continuously review and check permissions to maintain the data integrity, data security, and privacy of the personal data saved.
Keep an eye on any possible or new cyber threats and adjust privacy and security settings to keep your database safe.
You are never done with CCPA, go back to Step 1( the groundwork), to see how data is saved, and organized and then follow the rest of the jobs. To be compliant with CCPA or any other such standards – you always have to make sure that you understand how and if it is relevant.
If you are practicing recommended automation practices such as progressive profiling, form optimization, data cleanups, and data security, etc. you will never feel a burden to comply with any data guidelines.
In case you need any help with getting yourself ready for CCPA or GDPR or any assistance to understand digital data privacy regulations, we can support you. Write to us at firstname.lastname@example.org.