California’s recently passed privacy law, coming on the heels of similar regulations issued by the European Union, makes it imperative that businesses have clear policies and procedures for collecting, storing and using personal information.
The California Consumer Privacy Act (CCPA), passed in May 2018, is a far-reaching law that covers not only the data itself but also how businesses manage relationships with consumers and third parties. It is similar to but more stringent than, the EU’s General Data Protection Regulation (GDPR), also enacted in 2018.
What Businesses Does the CCPA Affect?
The CCPA applies to any business or non-profit organization (or entity that controls or is controlled by such a business and shares branding) that meets one of the following criteria:
How Is ‘Personal Information’ Defined?
The CCPA takes a broad approach to personal information, including some data that are not typically included in such definitions. Under the act, personal information includes:
.A provision also covers inferences that could be drawn from any of the other information to create consumer profiles. The law does not include publicly available information.
What Rights Do Consumers Have Under the CCPA?
Consumer rights under the CCPA include:
Does the CCPA Address Data Breaches?
In the event of a data breach, the CCPA provides consumers with a private right of action. That means consumers can pursue statutory damages and injunctive relief if data is accessed or stolen by an unauthorized party. It also allows consumers to take action if the business failed to maintain reasonable security measures.
What Other Obligations Do Businesses Have?
Businesses must post California-specific privacy rights on websites. Those sites must also disclose how consumers can request information and the categories of personal information collected or sold in the previous 12 months. There must also be a conspicuous link titled ‘Do Not Sell My Personal Information.’
Businesses must train employees on the act and consumers’ privacy rights.
How Is the CCPA Different from the GDPR?
The European Union adopted the General Data Protection Regulation that applies to nearly all companies that collect private consumer data on EU citizens. It requires companies to comply with robust data security and management protocols.
While the compliance categories are nearly the same as those under the CCPA, the guidelines are not as well defined, and enforcement is weaker. Unlike the CCPA, the GDPR applies to small and large companies and will likely evolve over time.
What Should My Business Do to Address GDPR and CCPA?
What can your company do to comply with these acts? Here are a few tips: