Making Sense of the California Privacy Law Requirements

Data breaches continue to raise concerns over privacy among businesses which has led to an avalanche of regulations to protect Personally Identifiable Information (PII). In 2018, the European Union General Data Protection Regulation (GDPR) was instituted to ensure that all the organizations protect private data. A new regulation was introduced in California with a similar mission as GDPR. The California Consumer Privacy Act (CCPA) requires that every organization that handles PPI in California devise robust strategies to protect the data from compromise or exposure.

CCPA: Overview

Businesses may find the process of regulatory compliance intensive and time-consuming, but it’s crucial to understand that the law is aimed at protecting their integrity and brand reputation, while also safeguarding the security of California residents’ data.

Unlike Europe, the United States lacks an established federal data privacy law despite the rising trend of cybercrime activities. Triggered by the increase in data breaches and violation of consumers’ privacy rights, the Californians for Consumer Privacy submitted their suggestions to the Attorney General in November 2017. Their submissions implored the AG to compel companies to protect the data of their consumers.

The California AG worked to compile a set of rules that would guide the operations of every organization in California. In June 2018, the attorney’s submission was debated and passed by the California Legislature. On September 23, the bill was presented to Governor Jerry Brown, who signed it and integrated it to the California Civil Code.

California Privacy Requirements: What it means to Your Business

This law concerns the consumers controlling data. It requires that your business institute measures that will protect the data from access by unauthorized intruders. However, the state has given enough time for organizations to learn the basics of the regulations before being punished for non-compliance.

All businesses have up to January 1, 2020, to comply. During this time, the AG will identify any loopholes that may compromise its efficiency, amend it, and ensure that it takes full effect. This duration allows you to make suggestions for improvement to ensure that the regulations have unparalleled clarity.

Organizations Subjected to the CCPA Regulations

Your organization must meet at least one of the following requirements to be subjected to the CCPA regulations:

• Generate an estimated gross revenue of $25 million annually
• Receives, stores, or transmits resident personal information of at least 50,000 California residents
• Earn at least half of its revenue from selling personal information for California residents

Any companies that don’t meet these requirements, as well as non-profit organizations, are exempted from these regulations.

Implications of CCPA Regulations

This law applies to all businesses that handle personal information of California residents regardless of whether they are operating within or outside California. For example, an online company that sells California residents’ data but is based in Washington DC will still be subjected to the regulations.

Failure to comply with the regulations will mean a breach of the California Civil Code which will result in significant damages and penalties. The statutory fines can range between $100 and $750 per resident per incident. Offending organizations will also be required to pay for all damages resulting from the data breach, or any other damage as determined by the court. Intentional violation of the regulations will impose a higher fine of up to $7,500 compared to the unintentional violation which draws a fine of up to $2,500.

Categories of Personal Information

The CCPA regulations classify personal information into 12 distinct categories including:

• Real name, address, unique ID, alias, IP address, passport number, bank details, or social security number
• Any personal information as defined in the Civil Code 1798.80
• Any information linked to an individual’s gender, ethnicity, race, or sexuality
• All commercial information including purchasing history and property records
• Information collected from the internet including browsing history, search history, and job applications made
• Biometric data
• Psychometric information
• Geolocation data
• Professional/employment data
• Audio, thermal, electronic, olfactory, or visual information
• All the inferences from the above-listed data sources
• Information collected for children/minors

What Personal Information Should Be Provided Upon Request?

Every organization is obliged to provide personal information collected upon request by the customer. As such, it’s necessary that all the businesses that obtain personally identifiable information from California residents offer an avenue where the customers can collect the data painlessly. This may include a toll-free telephone number or a website. Upon request, the company has a maximum of 45 days to provide the requested information.

Do I Have the Right to Know About Sold/Disclosed Personal Information?

The consumer has the right to get the details of the information disclosed to a third-party vendor. Additionally, companies are obliged to provide contact information for these vendors to allow the consumer to follow up on how their data is used. To simplify the process, the organization should categorically explain the reasons for disclosure and the security measures instituted to prevent data breaches.

Compliance with the Right to Know

All businesses should be careful not to disclose information to unverified individuals. When a customer requests their personal information, your organization should confirm the identity of the client before the disclosure. If the business intends to sell the identifiable information, the customer has the right to know all the details of the third party for the preceding 12 months.

Do I Have the Right to Say No to the Sale of Personal Information?

The client can opt out of selling personally identifiable information. If a consumer rejects a sale arrangement, the business must comply and cannot force the sale of personal data.

Compliance with the Right to Opt Out

Ensure that you have a link on your homepage which allows the consumer to opt out. The connection may include words such as “Do not sell my personal information.” You should also outline your privacy policy and allow customers to make inquiries for clarifications.

How Technology Enables Compliance

CPPA compliance requires handling large volumes of documents, which can be tedious. You can use technology to organize your work. Software can monitor data collection and the efficiency of security measures and manage consumer requests. Also, technology can enhance communication between internal and external stakeholders, guaranteeing efficiency; which allows your business to focus resources on other matters.

• About
• Latest Posts

Ken Lynch

Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to
pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.

Latest posts by Ken Lynch (see all)

• The Role PCI-DSS Plays in Security - January 21, 2020
• Your Quick Guide to SOC 1, 2 and 3 - December 13, 2019
• Using a Risk Assessment for a SaaS Company - November 24, 2019