CCPA keyboard
What does California’s Consumer Privacy Act (CCPA) mean to you?
September 28th, 2018 |

As consumers become hyper focused on their digital footprint and confidentiality, numerous states are passing legislation on consumer privacy. Enter California’s new privacy law, the California Consumer Privacy Act (CCPA).

Enacted on June 28, 2018, CCPA goes into effect January 1, 2020. If you’re just hearing about the law, take note of some key points: specifically, one of the compelling pieces of the CCPA is the scope of persons covered under the legislation, and its limited carve outs. In essence, if your organization physically or virtually touches a California resident, you are subject to this bill’s requirements. CCPA encompasses all California residents, including customers, employees, visitors to a company internet site or business location, contractors and independent contractors, and vendors. Just as GDPR forever changed the landscape of personal information processing in the EU, CCPA establishes a new standard of compliance in California for the collection and processing of consumers’ personal information.

The rights CCPA grants consumers

  • Right to know: Companies must be able to provide consumers with what information they collect/hold, the purpose for which it was collected, where the company got that information, how the information is being used, whether the information is being disclosed or sold and to whom the information is being disclosed or sold.
  • Purpose limitation: Information must be used for a company’s operational purposes.
  • Right to deletion: Consumers can request their data be deleted, unless the business requires the data be retained for legitimate business reasons.
  • Right to opt out of sale: Consumer can request their personal information not be sold.
  • Right to be free of discrimination: Businesses must provide equal service and pricing to consumers.

The applicability of CCPA isn’t limited to the location of a company’s business, but rather the individuals whose data they touch; and, the definition of personal information is substantially broader in scope than previously delimited for Personally Identifiable Information (PII). For example, an individual’s IP address and cookies associated with them are considered PII under CCPA.

There is the perception that the legislation places a burden on companies to reconfigure their information systems to meet consumer requests for disclosure, delivery and deletion. CCPA impacts not only a company’s privacy policy, but potentially their processes and data tracking methodology. For example, businesses must inform consumers at or before the point of collection as to what categories of personal information they are collecting and the business’s purpose in collecting the information. This may require acknowledgements on the company’s website or data gathering system(s) notifying the consumer of why they are collecting their data and what personal information they are capturing.

The California Attorney General is expected to publish more prescriptive guidelines around the legislation, offering guidance to companies in their adoption of the new privacy law. In the meantime, companies affected by the CCPA are already assessing the impact to their business and making information security adjustments as needed. As with GDPR, best-in-class companies are already evaluating what changes to enact now to be compliant by the 2020 deadline.

ShareTweet about this on TwitterGoogle+Share on LinkedInEmail to someonePrint this page

Tags:

There's Much More

Understanding and navigating the complexities of our industry is what we do best and we'd enjoy the opportunity to talk with you about yours. Please fill out the fields below and we'll contact you within 24 hours. Thank you.