Is Your Agency Ready for California Consumer Privacy Act?
March 04, 2020 | 8 minutes read
Consumer protection, data privacy, and new and extended protections surrounding how data is used or sold have become a bottom line for many businesses. There are many legal issues that protect the data collected on customers from abuse, fraud or misuse, yet a business without data does not necessarily exist. The internet has grown so quickly that regulations have not kept up with the pace of available ways to misuse someone’s personally identifiable information.
Europe was the first area in the world to attempt to address the issue that citizens have some right to privacy online and to their data. The General Data Protection Regulation (GDPR) was passed to cover the EU in April of 2016. Companies were given some time to adjust to the new laws and learn how to redact and protect customer, employee, and patient data.
The new regulations cover any type of personally identifiable information collected must have the consent and knowledge of the individual, they must know what it will be used for, that the information will be kept private and for that use only, and not be sold. The basic rights of individuals to have access to information collected and what has been down with it.
As GDPR came into effect and was fully enforceable in May, 2018, the idea of personal freedom and anonymity has grown. Congress has not acted to protect citizen’s privacy in an effective manner, so many states across the country are beginning to pass their own laws. California was the first, who followed the example set forth by the GDPR and put theirs into effect January, 2020.
The California Consumer Privacy Act, which is now effective, will affect far more than the consumers of California. It sets an example for all other states to follow for their own protection laws. Also, any company collecting information on consumers within the state of California, even if their company is not located within the state, must comply. Getting in step with compliance now would be wise, as legal enforcement begins July 1, 2020.
CCPA Effective Now
The California Consumer Privacy Act or CCPA is now in effect. As California becomes the first state to enact its own privacy laws, other states are following suit. In fact, in a variety of instances, privacy laws have become a globally enforced issue. As new legislation progresses, it may come to having a united standard that could be applied on a global scale.
Who Does CCPA Affect?
The way that California wrote its privacy legislation it can affect most Americans as other states will be forced to comply in some form or another. The CCPA effects businesses that collect or sell information of residents of California. Any company or enterprise who has a gross annual revenue of more than $25 million dollars, regardless of location.
This law also applies to any corporation that buys, trades, or profits from the personal information of more than 50,000 California residents. This would mean any company that purchases a mailing list of more than 50,000 residents of California for any reason. The law also extends to any corporation that gains more than 50% of its profits from the information trade.
Does CCPA only Affect California?
No. These rules apply to any for profit business or entity that meets the above requirements and is collecting information on California residents regardless of where the company is physically located. Understanding how to protect this data, comply with the new privacy laws and demonstrate documentation of steps taken to provide accurate, secure protections to private citizens and consumers will allow your company to remain a viable entity in the California consumer marketplace.
How to Comply with CCPA
Your company should be ready to comply now. California is giving companies until July 1, 2020 to learn the best strategies and get their data in compliance. Getting a solid understanding on the main details of the law so you can see how it fits with your corporate data architecture, will help with developing solid privacy compliance strategies.
Many enterprises develop world-wide customer marketplaces. Because of the similarities between both the GDPR and the CCPA it may be good practice to become familiar with an overall policy that will guide your company through compliance for both regulatory policies.
Basics GDPR policies include:
- The right for citizens and consumers to have access to the personal data profile in a corporation’s database.
- Enterprises are required to get consent prior to collecting any data on a potential or current consumer or citizen.
- Understand and have a data security policy in place. Corporations will be held responsible for the security of the data they collect or store.
- Transparency is part of the requirements. In the event of a data breach, there is a defined time in which it must be reported. In the case with the GDPR, a corporation has 72 hours from the time the breach is discovered, and may be held liable under negligence.
California Consumer Privacy Act policies include:
- California residents have the right to access their information, and also choose to delete or opt-out of the sale of their personal information.
- They have the right to know all the different categories of information that will be collected.
- California citizens also have the right to know what outside sources are used to collect or match additional personal information used or stored.
- The right to know what categories of businesses their personal data is being sold or traded to.
- California citizens have a right to transparency and to understand why the data is collected and how it will be used.
- The right to be forgotten, or to have personal data permanently deleted from a company.
- California residents will have the ability to opt out of all data collection from companies without penalty.
- Special permissions or opt-in agreements are required for all California residents under the age of 16.
CCPA Enforcement
Enforcement for the GDPR is already in effect and the CCPA enforcement will begin in July, 2020. Penalties can be severe for companies caught violating the new privacy laws. With the new California law, those who are not prepared to comply and find themselves violating the law, there are real penalties. Financial penalties can hurt the bottom line for any business who has customers in California. The new law will be enforced by the California Attorney General’s office.
For each individual complaint, consumer or private citizen in which an enterprise is found guilty of violation of their privacy or in breach of data security, the fine can be between $100 to $750 per event. If a company is found to be intentionally violating the CCPA, the maximum penalty can be as high as $7500. Accidental violations can have a maximum fine as high as $2500 per violation.
While the monetary costs of fines can be quite high, the cost in consumer relations can be more destructive. Transparency is a requirement, and with a breach of data security will come a public announcement to let consumers know that their information could be at risk. The loss of trust from consumer to corporation can be more damaging to the company’s reputation than simply the monetary cost of a fine. The cost is great in either circumstance.
Two Steps Ahead of CCPA
The way to tackle the privacy issue and being in compliance with new and upcoming regulations is to remain two steps ahead. Realize the value these privacy laws can have for your consumer relationships, and extend knowledge, trust, and transparency to your customer or client base. Discuss your company’s responsibility, transparency, and provide answers to consumer questions readily. Provide the details on how their information will be stored and used. Be up front with why you need the information you request. Your grandmother always told you that “Honesty is the best policy.” In this case, honesty and transparency go hand in hand.
Tackle the problem “in-house” by doing a data audit. Readily be able to define within your own databases which customer information details are considered personally identifiable information or PII. Be careful on how the information is linked to other data, as artificial intelligence (AI) improves, it will be able to link the different types of data together. Since each company has various needs, the types of information or data that will have to be considered for redaction will be different.
Turn your company’s focus towards a solution-oriented redaction system. CaseGuard provides a secure and customizable data redaction solution that can be tailored to the needs of your company. Having an in-house system allows for more than just the IT department to handle the redaction of data. Depending on the company structure, administration, and any other specified personnel or departments can be fully trained in how to use the redaction system. The redaction system provided by CaseGuard is used by law enforcement, government agencies, hospitals, schools, banks, and many other data defined businesses that need to follow strict privacy regulations.
There are tremendous cost savings for a company to be able to handle all of their own redaction services. CaseGuard allows companies to handle all forms of PII or personally identifiable data. It can be used by schools to protect student privacy to comply with FERPA, or hospitals to protect patients and follow HIPAA guidelines. It works with surveillance, law enforcement, and security systems. It allows a quick and easy to learn redaction system for documents, pdf’s, databases, video, and audio files. All data can be handled securely in-house without additional risk.
Since new privacy laws are becoming more prevalent, companies should start preparing for what will eventually be global industry standards for consumer data privacy standards and be ready to comply. If an enterprise is not able to handle its data, it will no longer exist, not in today’s information-driven marketplace. The only way to continue to have a future in the marketplace is to get data secure and become proactive in privacy law understanding and gain a solid comprehension of the available choices for data redaction systems.