Privacy arrives in Silicon Valley in January: are you ready for the CCPA?
By now you have probably heard about the California Consumer Privacy Act (CCPA), but do you understand practically how to comply on an ongoing basis? Is your business ready? Have you uncovered the business benefits so you’re ready to leverage changes?
The new law is due to take effect from 1 January 2020, so there’s still some time to prepare (at time of writing) and uncover value if you are an organisation located within the state or seeking to do business with California residents.
Background: what is the CCPA?
Legislators in California passed the CCPA in June 2018, as the most comprehensive privacy law in US history — marking a sea change change in attitude in the home of the Silicon Valley tech giants. It’s the first US law of its kind to grant consumers rights about their personal information and set out how businesses handle it. The CCPA enhances privacy and consumer protection for residents of California, granting them the right to:
- find out how and why their personal data is being collected (including the categories of data, who collected it, who it was sold to and its purpose)
- stop companies selling their data to third parties
- have a company delete their personal data on request.
Why California, why now?
Much like its big brother the GDPR, the new legislation is citizen and consumer driven and it represents a backlash against data collection and the surveillance capitalist model. It comes at a time when data ethics and Privacy has become a bigger societal concern and part of a global agenda to tighten big tech regulation and protect individual’s rights. Privacy, Data Protection laws and technology ethics are not new of course, but there’s have been some critical moments of reckoning in the past few years (read more about the shift in my ‘The P’s of Good Data’ recent article) as we grapple with these rights in our data-driven global economy.
“Privacy is not simply an absence of information about us in the minds of others; rather it is the control we have over information about ourselves.” (Charles Fried)
Which businesses does the CCPA apply to?
The CCPA applies to organisations who do business in Californian, collects consumers’ personal data, and satisfy at least one of these thresholds:
- Annual gross revenues = $25 million+
- Handles personal information of 50k or more consumers, households, or devices
- Over half of its annual revenue comes from selling consumers’ personal information.
GDPR similarities?
While the CCPA rides on the global momentum toward tighter Data Protection regulations brought by the GDPR and other legislation from South America to Asia, it’s not as extensive as its ‘big brother’ the GDPR. However, both laws broaden the definition of personal data and put the citizen at the centre, wrestling back control from companies. Other commonalities include: an increase in access and deletion rights for individuals, and the need for contracts with third party processors.
If you comply with the GDPR while it doesn’t mean that you are CCPA compliant by default, chances are you already meet some of the CCPA requirements having done the work to meet tough GDPR compliance. However, you’ll have to do some specific tasks for CCPA such as adding a “Do Not Sell My Personal Information” link on website. Get in touch with Trace’s consulting team if you need expert Professional services.
How to comply
It’s important to take expert advice and use qualified Privacy professionals when approaching your compliance programme and regulatory change. This article is not legal advice, but here are some quick tips for complying with the CCPA:
- Know your data — what categories of personal data are you collecting and how that information is disclosed, sold or shared? What do your flows and workflows look like? You can use Trace to model your personal data and build you Records of Processing Activity (RoPA)
- Know your third party processors — where is data sharing happening? Are the right legal contracts and Data Processing Agreements (DPAs) in place? Do you understand how your vendors operate, and are the right contracts, controls, processes and APIs compliant? Our Data Processor inventory and assessor helps you get a handle on third party privacy and legal risk, so you can have better controls on third parties when it comes to compliance
- Protect the data that matters — get on top of data security and ensure you have the right organisational and technical measures in place in your business, and get assurance that vendors who handle data on your behalf do. The CCPA establishes a right of action for certain data breaches if a business fails to maintain reasonable security practices and procedures. Trace helps you audits data security and collaborate with colleagues or partners to check measures
- Update your external channels — your website, privacy policies and customer communication channels will need to be reviewed and updated in line with regulatory changes
- Test the consumer rights — don’t wait until you are asked, understand how the rights have changed and test them before you handle your first consumer data rights’ request.
The law .. raises the stakes in the event of a data breach by creating a class action right and statutory damages without having to prove actual losses. (DLA Piper)
In a nutshell
The CCPA is consumer advocacy measure for Californians to have greater awareness of and control over how their personal information is collected, processed and sold by companies. For businesses impacted it means work, and a need to have a better understanding of data subject rights and a handle on what personal data they’re processing (and where it is).
Enlightened organisations will see the changes as a positive, brand differentiator and means to build trust with consumers, and an opportunity to clean up their data processing habits to reduce risk and power operational resilience.
Trace can help with streamlined, smart and visual compliance, book a free demo now.
