The strongest set of data protection rules to date – GDPR – came into effect across the European Union on May 25, 2018. The intent was to modernize laws protecting the private information of individuals. But what the General Data Protection Regulation (GDPR) really did was pave the way for the implementation of similar regulations in other parts of the world.
In 2018, Vermont enacted the first state law mandating the registration of data brokers. Another U.S. state – Ohio – then made headlines with the first cybersecurity safe harbor law. Within the same timeframe, the breach notification statute in Colorado was amended to include a data deletion/disposal provision, while Massachusetts and other states also enacted breach notification statutes.
Amidst all of these developments, Governor Jerry Brown of California passed the CCPA bill on 28 June, 2018. The bill seeks to improve consumer protection and privacy rights for Golden State residents.
And this makes sense considering that the innovative California ranks first in the U.S. in net tech developments and net tech employment jobs added. California is also the home of Silicon Valley and its inventions, accounting for almost 19 percent of the state’s overall economic growth.
With an enforcement date of January 1, 2020, the CCPA – despite several amendments – will possibly end up being the toughest privacy regulation in the U.S., one-upping the GDPR. Nearly every company that does business in California or handles its citizens’ personal data will feel the impact.
Any household or resident of California who can be reasonably identified, even with a unique identifier, is covered by the California Consumer Protection Act. The CCPA allows California consumers to exercise a new set of rights.
The California Consumer Protection Act, although controversial, presents a unique opportunity for organizations to level-up on privacy best practices.
If you are still unaware of the effects of the CCPA on your business, it’s time to get the ball rolling. Otherwise, you might inadvertently attract a hefty fine. So, if you’re currently involved in handling personally identifiable information (PII) of California residents, you need to change how you operate.
Your company must now either adhere to the new standards for consumer data collection outlined by the regulation or prepare for the consequences if you fail to safeguard this data.
According to the CCPA, “businesses” are for-profit entities that gather personal data from consumers – in this case, residents of California – and meet at least one of the following criteria:
If you determine that your business meets any of these criteria and is processing personal information derived from California consumers, you need to work on CCPA compliance.
Your business is not covered by CCPA regulations if:
Your business is exempt from CCPA laws until 2021 if personal details are collected from employees, directors, staff, officers, owners, contractors, and job applicants in your company. However, right-to-know notification for employees will be required in some cases.
The bill requires businesses to submit reasonable verification of consumers in response to their CCPA requests. Consumers must use their existing accounts to make consumer requests. Your business, however, cannot ask a consumer to create an account just for the sake of making the request.
Also, personal details of employees, officers, contractors, directors, and owners collected through business-to-business transactions or communications or due diligence will not fall under the purview of the CCPA. Vehicle manufacturers and dealers also have a right to share or retain vehicle details and ownership information for recall or warranty-related repairs.
However, both of these caveats indicate amendments to the CCPA that have already passed state legislature but have yet to be signed into law by California Governor Gavin Newsom.
Once the amendments are signed, they’ll give employers time till 1 Jan 2021 to become compliant with CCPA, and will give the legislature more time to decide whether they want to keep employee records out of the purview of CCPA.
The California legislature has since passed three other amendments to this bill which require Governor Newsom’s signature by October 13, 2019.
At present, your business must have two or more designated contact numbers for consumers to make requests under CCPA law, including an online website address and a toll-free number. This amendment seeks to change the requirement of having a toll-free number if your business operates exclusively online and has a direct relationship with the consumer. In such cases, you only have to provide an email address for consumers through which they can submit requests.
This amendment will remove confusing jargon from the current CCPA regulations about what constitutes publicly available information as well as remove language concerning the purpose of the data in federal records.
This amendment requires the California Attorney General to create a publicly available data broker registry online, a provision which seeks to add transparency for consumers so they can understand how your business utilizes their data and who is accessing it.
We only have a few months left before the CCPA comes into effect, so you should quickly determine whether or not your organization will have to adhere to the new regulations. However, keep in mind that the positive effects of compliance with the CCPA on your business’s marketing programs and efforts to generate consumer trust will be more impactful than the associated penalties.