California Consumer Privacy Act: What You Need to Know About “GDPR Lite”
The ability to collect and analyze data about individuals has never been greater. People create huge trails of information as they browse, shop, consume data and interact online; machine learning, AI and data sharing can sort, filter and interpret information at an ever-finer level. In this new milieu, governments across the world are instituting new laws to protect the privacy and consumer rights of individuals. The California Consumer Privacy Act of 2018 (CCPA), which was passed in June 2018, is one such law.
Often referred to as ‘GDPR lite’, it bears similarities to the EU’s General Data Protection Regulation; the intent of the CCPA is to provide Californians with more control over their personal information, by ensuring the following rights:
(1) The right of Californians to know what personal information is being collected about them.
(2) The right of Californians to know whether their personal information is sold or disclosed and to whom.
(3) The right of Californians to say no to the sale of personal information.
(4) The right of Californians to access their personal information.
(5) The right of Californians to equal service and price, even if they exercise their privacy rights.
The Act will take effect on January 1, 2020. According to CCPA Readiness Benchmark Report, which was published by privacy compliance and risk management firm TrustArc, only 14 percent of companies are currently in compliance with the CCPA.
Which businesses would be covered by CCPA?
The CCPA protects California-based consumers, which means that any business collecting and processing the personal information of Californian residents – whether it is located in California, the US or overseas – would have to abide by it. It must also be noted that the CCPA applies only to for-profit entities; non-profit entities are exempt from CCPA.
Additionally, the business must meet one of the following criteria in order to be covered by CCPA:
- The business must generate annual gross revenue in excess of $25 million,
- The business must receive or share personal information of more than 50,000 California residents annually, or
- The business must derive at least 50 percent of its annual revenue by selling the personal information of California residents.
If a business does not meet all three of the aforementioned criteria, it will be considered exempt from CCPA.
As they did with GDPR, organizations will have to determine how they collect, store, share, and manage personal information, in preparation for CCPA too. For most organizations that must comply, this implies changing their procedures across the board, not just for Californians – consider this blog post by international law firm Proskauer, “For example, few companies are likely to devote the resources necessary to provide the Act’s opt-out options to a user visiting a Web site from an IP address in California, while providing a Web site without those features to residents of the other 49 states.”
Personal information, in the Act, is a broad definition that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This definition covers data such as:
- Personally identifiable information (PII) such as name, address, IP address, email address, account name, social security number, passport number, and driving license
- Browsing history, interaction with advertisements, apps, or websites
- Property records
- Psychometric data
- Employment history
CCPA: Assessing where your data practices stand
Many companies have already implemented stringent privacy protections in their preparation for GDPR compliance. As there are many areas of overlap between the CCPA and GDPR, a similar model could be instructive in implementing processes and procedures.
What personal information are you currently collecting and what are you doing with it? A proper data mapping will help your organization understand the information lifecycle and what systems you have in place to manage and protect it.
Data Lifecycle Management (DLM)
The audit identifies what privacy safeguards and deficiencies are in place. The next step is to strategize an effective Data Lifecycle Management (DLM) plan that manages all stages of data use: Creating, storing, using, sharing, archiving and destroying.
How will you implement and operationalize the DLM plan? Systemizing and automating data procedures helps ensure processes are ongoing and accurate. Reports and other audit procedures are also automatable.
As opposed to being strictly a cost, implementing new procedures can create efficiencies, new insights and other valuable actionable items. As an article in the Internet of Business states “but as with GDPR in Europe, canny organizations should see any incoming regulation as an opportunity and as a key competitive differentiator, and not as a threat to their business models.”
Communicating how your organization handles personal information is a fundamental requirement of the CCPA.
As more of our lives are lived digitally, trust in those that have our information becomes more important. As Michael V. Marrale, CEO of M Science, writes in Forbes, “consumers having control of their data and the use rights associated with it will force the industry to grow up and take responsibility for its actions. It will force out bad actors, consolidate around the responsible operators and foster a trust that we all need to continue to benefit from the economic efficiencies a data driven economy brings to us all.”
Companies that demonstrate full transparency will further gain the trust of consumers, especially at a time when there is growing public skepticism around trusting companies with personal data.