As consumers become hyper focused on their digital footprint and confidentiality, numerous states are passing legislation on consumer privacy. Enter California’s new privacy law, the California Consumer Privacy Act (CCPA).
Enacted on June 28, 2018, CCPA goes into effect January 1, 2020. If you’re just hearing about the law, take note of some key points: specifically, one of the compelling pieces of the CCPA is the scope of persons covered under the legislation, and its limited carve outs. In essence, if your organization physically or virtually touches a California resident, you are subject to this bill’s requirements. CCPA encompasses all California residents, including customers, employees, visitors to a company internet site or business location, contractors and independent contractors, and vendors. Just as GDPR forever changed the landscape of personal information processing in the EU, CCPA establishes a new standard of compliance in California for the collection and processing of consumers’ personal information.
The rights CCPA grants consumers
- Right to know: Companies must be able to provide consumers with what information they collect/hold, the purpose for which it was collected, where the company got that information, how the information is being used, whether the information is being disclosed or sold and to whom the information is being disclosed or sold.
- Purpose limitation: Information must be used for a company’s operational purposes.
- Right to deletion: Consumers can request their data be deleted, unless the business requires the data be retained for legitimate business reasons.
- Right to opt out of sale: Consumer can request their personal information not be sold.
- Right to be free of discrimination: Businesses must provide equal service and pricing to consumers.
The applicability of CCPA isn’t limited to the location of a company’s business, but rather the individuals whose data they touch; and, the definition of personal information is substantially broader in scope than previously delimited for Personally Identifiable Information (PII). For example, an individual’s IP address and cookies associated with them are considered PII under CCPA.
The California Attorney General is expected to publish more prescriptive guidelines around the legislation, offering guidance to companies in their adoption of the new privacy law. In the meantime, companies affected by the CCPA are already assessing the impact to their business and making information security adjustments as needed. As with GDPR, best-in-class companies are already evaluating what changes to enact now to be compliant by the 2020 deadline.