The CCPA is the most comprehensive privacy law in the United States to date and is designed to give Californians more control over their personal information.
Major new data protections the CCPA introduces include:
Right to access information – Consumers in California will be able to know the “what, who, and why” surrounding their personal information. Specifically, they can request the following, which must be provided in a portable format:
Right to deletion – Consumers in California will be able to request that a company delete the personal information it has collected about them.
Right to opt out – Consumers in California will be able to direct a company to not sell their personal information to third parties. It’s also important to note that the definition of “sell” in the bill is broader than simply monetary exchange.
Although it was passed in June 2018, the CCPA will go into effect on January 1, 2020. As a result, companies can expect the California Attorney General to clarify the requirements of the CCPA and expect the California legislature to amend the law. The CCPA has already been amended to include, for example, a grace period for businesses in which the Attorney General cannot bring an enforcement action until six months after final regulations have been published, or July 1, 2020, whichever is sooner. Please note that this grace period does not apply to the private right of action consumers can bring under the CCPA. There are also several other amendments still pending in the California legislature.
The CCPA applies to for-profit businesses operating in California that collect personal information of California consumers for which any of the following are true:
Often privacy is thought as legal solution, but it is not. The entire organization teams must come together to understand the current data assets and how they are used and the impact to business going forward.
Training and managing change are key, continuous process improvements and assessments are the right approach for reducing risk
The key is to consider and ensure that data processing service provider agreements are compliant with CCPA regulation
Discover data elements which are collected from California consumers and the purposes in which data has been used
The scope of “personal information” under the CCPA is broad and includes any information that “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household,”.
Revise website home page, customer notices, privacy policy.
Website should have provided a clear link for consumers to Opt out of sale” along with privacy policy update
Clear instructions in website or other communication means for consumers to exercise their rights
Business should be able to disclose personal information collected or sold in past 12 months preceding consumers as part of exercising “Right to know” request
Reconciliation process delete data request with need to preserve in case of evidence in litigation (legal hold)
Exception process to be documented for Right to delete requests
Right to optin for minors, business is prohibited from selling personal information of customers aged below 16
Right to Provide consumers equal service and price
Identify team and business process with which the right to know information is adhered with in 45 days of time
Information needs to be in portable format for consumers to easily transfer to other entities
Disclosure of at least 2 touch points for consumers such as Toll-free number or website and identify individuals responsible about consumer requests
The disclosure should include
Training to be provided for employees on CCPA’s prescribed consumer rights.
Create and maintain comprehensive breach response plan
Review third party agreements, to ensure that contract limits the service provider uses personal information as prescribed in CCPA regulation.
CCPA defines “Business Purpose” as use of personal information for third party operational purposes or other notified only
Without CCPA compliant agreement with third party provider, the disclosure of personal information will lead to an Optout right for consumer.