California’s equivalent of the EU’s GDPR--the California Consumer Privacy Act (CCPA) — is taking the U.S. by storm. Approved in June 2018, this wide-ranging privacy regulation, not dissimilar to the GDPR in many ways, aims to strengthen privacy safeguards in the U.S. and provide people with the essential control over their data. It goes into effect Jan. 1. Here’s hoping businesses have preparations well underway to comply.
Way back in 1972, the Californian Constitution was amended to include the right to privacy for its people. Over the years, various mechanisms have been put in place to protect this right. However, as time’s gone on and technology advanced and has taken a significant role in the day-to-day business and life, acknowledgment has been made that personal information is now at higher risk.
Multiple organizations process consumers’ information. Incidents like the Cambridge Analytica scandal have highlighted the pressing need for change. This incident, in particular, raised global awareness of the real risks when tens of millions of people had their personal information exploited (unaware that it was even happening).
With the CCPA, Californian legislation has been updated to deliver data privacy transformation, to bring laws up to date with the times and the requirements of people of today. Also, its aim is to align the law with technological and business practice advancements as well as to minimize the potential impacts on privacy when businesses process personal information of consumers and to allow consumers better protection and control of their information. Also, to give consumers the transparency that they need.
The CCPA is the new California Consumer Privacy Act. It gives the right of privacy to Californian residents and impacts entities that process consumer’s personal information.
The Californian legislation impacts all organizations that serve Californian residents. The businesses do not need to be located in California to observe the law. Wherever it is based, if it serves Californian residents, it must comply. This is similar to the GDPR, which requires any organization processing personal information of EU citizens to observe the regulation no matter where the company resides.
Some differences between CCPA and GDPR, however, relate to which businesses are impacted. The GDPR requires all companies to comply, no matter size or revenue. The California Consumer Privacy Act, however, only affects businesses that match one of the following criteria:
With this in mind, the GDPR may have a broader reach than the CCPA.
The CCPA does not apply to some organizations already bound by other compliances, including health providers and insurers who must already comply with HIPAA, banks and financial institutions which fall under Gramm-Leach-Bliley and credit reporting agencies that must comply with the Fair Credit Reporting Act.
The California Consumer Privacy Act pertains to personal information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
While the GDPR covers any personal data relating to an identified or identifiable data subject not necessarily a consumer, both the GDPR and CCPA are similar with regards to the information they protect (information that can be used to identify a person). However, the CCPA includes personal information that the GDPR does not (like information linked to households and devices). The information covered by the new CCPA legislation is much broader than previous regulated information. It includes additional identifiers not generally thought of as personal information (ones that “relate to” or are “reasonably linked with”).
Personal information under the CCPA (as seen in the bill) includes:
The bill also includes inferences drawn from personal information used to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
However, personal information does not include de-identified (anonymous), aggregate consumer information and some publicly available information (like data from government records).
Those businesses that are impacted by the CCPA should, really!, already be prepared. If not, preparations should be well underway. With the enforcement date just around the corner, businesses should have the necessary measures ready and workable to deliver on their responsibilities and react timely to the rights of the individuals affected from Jan. 1.
The rights of Californians under the CCPA allow them to exercise their privacy rights. So, businesses processing their personal data must honor these as laid out in the legislation. Businesses will need reliable technologies, and data governance policies and procedures to fulfill these adequately.
The following criteria need to be met for the CCPA:
To fulfill the obligations of the CCPA, the business must consider its existing data inventory (the data that it holds and processes) as well as record-keeping processes used. It needs to identify and classify its data assets. Determine where the personal information resides and determine its security risk. Determine whether the data is necessary to keep and, if not, as it’s always good practice to only store what is needed, securely remove unnecessary data (by doing this you remove any unnecessary risk). Keep the data inventory up to date by continually reviewing and managing it.
Put procedures in place or make the necessary changes to existing ones so that the business can react to the request on consumers’ privacy rights as laid out in the legislation. Controlling access to the data is vital for its protection. Implement the appropriate permissions and limit access to data wherever possible.
Ensure that a system is in place to manage and monitor the data so that any attempt of unauthorized access can be detected and responded to. Stay abreast of cyber threats, review controls continuously and adjust as needed to maintain security.
It’s imperative and should be a priority, to educate and train all employees on proper data handling and the consequences of inapt data processing. This needs to be relevant, continuous and encouraged from the top down. Without this, the policies and procedures in place will not be sufficient. If staff is not putting these into practice, what’s documented is futile.
Seek the necessary support. If this means getting expert advice from consultants with more experience or pursuing legal services to move the process forward-do so. Not every business has the resources on hand and may need to look outside of the business itself.
A businesses existing security maturity level and data protection and governance strategies will determine its readiness for the CCPA. So, it is important to approach CCPA compliance by considering the organization’s existing degree of preparedness. An assessment can be undertaken to determine this.
On a positive note, those businesses already complying with the GDPR should find that many of the aspects of the CCPA may already be addressed. As the GDPR requires strong security and privacy controls — and, perhaps, with only a few adjustments or additions, CCPA compliance may be in close reach. Those that do not already comply with the GDPR may have a lot more work to do.
Featured image: Shutterstock
Qumulo is an up-and-coming data management solution focusing on managing files in a hybrid setup.…
Is patch management for the Windows PCs at your business driving you crazy? Maybe there's…
Two of the main factors that affect the total cost of an organization’s Microsoft 365…
Samsung rolled out the all-new Galaxy Z Fold 2, Note 20, Note 20 Ultra handsets…
SAN and NAS provide dedicated storage for a group of users using completely different approaches…
In many companies, Generation 1 virtual machines have been superseded by Gen 2 VMs. But…