The California Consumer Privacy Act
The California Consumer Privacy Act (CCPA) is the latest regulation to attempt to control the murky world of personal data. With strong ties to the General Data Protection Regulation (GDPR), CCPA is among a myriad of global data controls coming that will attempt to tip the scales on privacy and control.
The act comes into effect on January 1st 2020, with enforcement taking effect on July 1st 2020, and will impact all companies engaging in business in California. This includes all entities doing any form of business within the Golden State, no matter where they are globally located. CCPA specifically applies to for-profit businesses that collect personal data, are operating in California and have a gross annual revenue exceeding $25 million, holds the personal information of 50,000 plus consumers or makes over 50 percent of their profits selling data. Whist a seemingly narrow scope, as California is the fifth largest economy in the world, CCPA promises to bring global ramifications.
Under CCPA, consumers have the right to know and access all information collected on them by a company from the previous year. Given 45 days to comply, if a consumer asks to access this information, they can also request the information, names and addresses, of the third parties this data was sold to. Beyond this, consumers have the right to request the removal of personal information or opt-out of having their data shared. Basically, CCPA gives transparency and control to consumers and prevents any form of discrimination such as denial of service if consumers choose to exercise these rights.
In preparing for this new California privacy law, security officers and data protection professionals must assess what consumer data there company is collecting, how they retain this data and evaluate the internal and external flow of this information. Whilst crucial to understand what data is being collected, tracking and managing this data flow should be a compliance and security priority. Beyond this flow, security officers must know who can access this personal data and how each of these individuals interact with the data. With this knowledge security officers are equipped to protect sensitive data from internal and external threats, ensure compliance with CCPA and develop handling policies that align with wider business strategies.
Through evaluation, companies are seeing their data siloes broken down in attempts to meet CCPA requirements. This breakdown of internal walls sees entities better able to habitually protect data across a company and improve transparency. To ensure the protection of consumer data, CCPA is calling for companies to tighten their security company-wide.
CCPA, along with other regulatory frameworks, are raising global standards for the future of data privacy. With almost half of Americans found to believe the security of their personal information has declined in the past five years according to a recent Pew Research Center study, copycat CCPA and GDPR are already in the works globally.