Data privacy laws are coming to the US with little surprise and businesses should prepare for more measures in the future. Last year, businesses within and outside the EU saw the General Data Protection Regulation (GDPR) go into effect. The US has seen repeated abuse of data privacy with Facebook and Mark Zuckerberg. There are even commercials now by Apple that focus on promoting how they uphold your privacy on their devices.
As technology makes it easier to collect consumer data, our personal information has become invaluable to businesses and third parties to profit from. However, some companies have elected to ‘act first, and think second’ when it comes to collecting and exploiting consumer data. Some of the recent data breaches and systemic abuses have made consumers more than squeamish about how, when, and why their personal data is collected, stored, and shared by others. Taking notice, governments are acting in the US to protect their consumers, starting with the California Consumer Privacy Act (CCPA).
What is the California Consumer Privacy Act (CCPA)?
The CCPA goes into effect on January 1st, 2020 and protects a California resident’s privacy rights in the following ways:
- Know what personal information is being collected
- Know whether personal data is sold or disclosed to third parties and to whom
- Object to the sale of personal information
- Access to personal information
- Request a business to delete any personal information collected
- Not to be discriminated against for exercising privacy rights
The CCPA defines personal information as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
Who does the California Consumer Privacy Act Effect?
This bill applies to any company that collects a consumer’s personal information, does business in California, and meets at least one of the following requirements:
- Business must exceed an annual gross revenue of $25 million
- Business obtains personal information of 500,000 or more California residents, households, or devices annually, or
- Business obtains more than half of its annual revenue from selling California residents’ personal information.
What happens if you meet these requirements and don’t comply? You’ll most likely be fined – and no small amount either.
How to Prepare to Meet CCPA’s Requirements
Most US-based companies who sell to California residents will need to update or apply to privacy policies to comply with CCPA, in addition to any GDPR-compliances you might already follow.
Review Current Data Policies and Security
To start, businesses need to understand what personal information they collect, how they collect it, and how it’s used. They should confirm whether its sold or shared with third parties and for what reason. If you haven’t already, get a data security risk assessment to understand where you’re at today. From there, you can update your internal and online policies to comply.
Prepare to Act
Businesses should also plan for how they will respond to consumers who request access to or deletion of their personal information. How do consumers opt-out of data collection or sale of their personal data? How will employees be trained to handle these situations?
Check Who You Work With
Lastly, be sure to review contracts with services providers and anyone else who has access to your consumer personal information and whether they’re compliant for CCPA.
What’s To Expect Next for Data Privacy
California is just the beginning. Other states like Massachusetts are taking the same progressive action and more will probably follow.
Data privacy and security can no longer be an afterthought for your business. Constant data breaches and abuse of personal data are becoming the norm, not the exception. It’s your responsibility to comply with these laws, and more importantly, respect and protect your most important business asset, your customers. And if you don’t, you’ll be held responsible.