018 was a pivotal year for those concerned with data privacy. Earlier this year the General Data Protection Regulation (GDPR) from the EU foreshadowed the coming shifts in the relationship between businesses, customers, and their data. Governments are defining how businesses can collect and use the private data of their customers and outlining the types of disclosures and permissions they’ll require going forward.
Expectedly, the U.S. is also beginning to pass new data protection legislation, with California going first with its Consumer Privacy Act (also abbreviated CCPA and CACPA). Paired together, the GDPR and the California Consumer Privacy Act of 2018 have outlined the fundamental principles and approaches that we can expect from the wave of consumers’ privacy laws, sure to come.
The CCPA and the GDPR have some similarities but they approach consumer privacy differently. Both apply to any company in the world that does business with the citizens under its jurisdiction. However, while the CCPA is more specifically concerned with consumer privacy rights, the GDPR more broadly covers how businesses should approach data security, management, and portability.
RIGHTS PROTECTED BY THE CCPA
The California Consumer Privacy Act will give you important new consumer privacy rights to take back control of your personal information, including:
- Right to know ALL data collected by a business on you, twice a year, free of charge.
- Right to say NO to the sale of your information.
- Information Security: Right to sue companies who collected your data, where that data was stolen or disclosed pursuant to an unauthorized data breach, if the company was careless or negligent about how it protected your data (i.e. if the data was unencrypted, un-redacted, or the company didn’t have reasonable security policies and procedures in place to protect it). Identity Theft needs to be curbed!
- Right to DELETE data you have posted.
- Right not to be discriminated against if you tell a company not to sell your personal information.
- Right to be informed of what categories of data will be collected about you prior to its collection/at point of collection, and to be informed of any changes to this collection.
- Mandated opt-in before sale of children’s information (under the age of 16).
- Right to know the categories of third parties with whom your data is shared
- Right to know the categories of sources of information from whom your data was acquired.
- Right to know the business or commercial purpose of collecting your information.
Enforcement is via a private right of action (consumer lawsuits) for data breaches, with the rest of the act subject to enforcement by the California Attorney General, at up to $2,500 per violation.
the California Consumer Privacy Act will accomplish the following three major goals:
- You will have the right to know what information large corporations are collecting about you...and you should. Businesses use your personal information for their own purposes, including targeting you with ads, discriminating against you based on price or service level, and compiling your information into an extensive electronic file on you. You should be able to know what’s being collected about you.
- You will have the right to tell a business not to share or sell your personal information...and you should. California law has not kept pace with changing business practices. Businesses not only know where you live and how many children you have, but also how fast you drive, your personality, sleep habits, health and financial information, current location, web browsing history, to name just a few things.
- You will have the right to protections against businesses which do not uphold the value of your privacy...and you should. Businesses that collect your sensitive personal information should take basic steps to keep it safe. Right now there are no consequences if they don’t, and this law will introduce some consequences.
It’s important to remember that both the CCPA and GDPR apply to any company in the world that does business with the citizens under its jurisdiction. This means any company with relationships with California residents should take heed and begin making the necessary steps to comply with the new consumer data privacy law.
With the adoption of the CCPA, the writing is on the wall. It’s only a matter of time before the U.S. either passes its own federal version of the GDPR or states pass a patchwork of legislation individually that accomplish the same objective of regulating business consumer data collection and protecting customer data privacy.
Currently, all 50 U.S. states, as well as the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands, have enacted breach notification laws that require businesses to notify consumers if their personal information is compromised. But California and Vermont have now both gone beyond breach notifications requirements and outlined significant regulations in the collection, sharing, and processing of consumer data.
We’re poised to witness privacy law changes all over the country. Businesses looking to avoid non-compliance penalties need to start implementing these requirements now. “Safe” today can easily mean “dead” tomorrow.
To learn more about cybersecurity, how to protect your cloud or on-prem based assets, and how it can affect your firm’s bottom line, be sure to download our complimentary resource by clicking on the image below.
What do you think about the CCPA? Share your thoughts in the comments section below or feel free to send me an email to discuss this in more detail.