Feb 20, 2020
You finally managed to get a handle on the whole GDPR business. But wait, the fun's not over yet! Now you must contend with the California Consumer Privacy Act (CCPA), which took effect on January 1 2020, and comes with its own set of rules and headaches. Read on to find out what it is and how you can tame this beast.
The California Consumer Privacy Act is meant to strengthen consumer protection and the privacy rights of California residents. The new legislation applies to all businesses to provide services or products to consumers in the Sunshine State.
Irrespective of your personal take on the CCPA, you have to agree that the Act is revolutionary. In fact, pundits equate it to the beginning of a GDPR-like structure within the United States.
Surprisingly, America has never had a federal law governing the data rights of its citizens. But under the CCPA regulations, organizations must be fully transparent regarding the collection, sharing, and use of consumer information.
Because it makes the most logical sense. California has always been a pioneer of sorts as far as data privacy regulations are concerned. The state previously operated under CalOPPA (California Online Privacy Protection Act). And now the CCPA serves as a potential starting point for sophisticated privacy regulations that can be adopted nationwide.
CalOPPA (California Online Privacy Protection Act). And now the CCPA serves as a potential starting point for sophisticated privacy regulations that can be adopted nationwide.
While the law has multiple subsections, companies that employ or service Californians will find the following five pillars to have the greatest impact on their present operations:
Your organization may already adhere to GDPR (General Data Protection Regulation) requirements, but you need to get your business operations up to speed with CCPA standards within the grace period (six months from the date of official CCPA activation).
The CCPA provides permanent residents of California with new data privacy rights. They can know what and how personal information is used, request deletion and prevent businesses from collecting further information about them. Sponsored by the advocacy group Californians for Consumer Privacy, the CCPA has been termed "the most comprehensive privacy law in the country."
The implications of the landmark CCPA law extend far beyond California and represent a considerable shift in attitudes regarding data privacy in the US. For example, One Trust survey found that only 2 percent of businesses considered themselves CCPA compliant as of late August 2019. But the requirements are forcing businesses to take consumer data privacy seriously.
What's more, a report from Capgemini Research Institute shows that consumers want to do business with organizations that enforce data privacy over those that don't. 39 percent of consumers from the survey revealed they would purchase more goods from companies that safeguard their data, while 70 percent of respondents want to stop dealing with businesses that lack sufficient data privacy protection measures.
This is why organizations need to buckle up and strengthen their data security processes. They must pay attention to customer privacy while following the regulations laid down by data privacy regulation laws like the CCPA. These laws empower consumers to control personal data.
Also, complying with these regulations help businesses grow their brand and improve customer loyalty and trust. So, companies must have the right data protection methodologies and tools in place. Of course, juggling accessibility and security is hard, but businesses will get tangible benefits in the long run.
Thus, data privacy must be at the forefront of an organizations' business strategy to save time and money.
CCPA applies to all for-profit organizations that operate in California and either:
Business owners operating in California and collecting, sharing or selling Californian consumer's private data will probably be governed by the CCPA if they meet any of these benchmarks. The reach of the CCPA extends to organizations that own, are owned by, or share common branding with a covered businesses.
For that reason, businesses modify their data handling practices for implementing CCPA:
Find out whether CCPA applies to any aspect of your organization. Even if the measures don't seem to apply to your business, you should read the whole law since the definitions of "sale" and "personal information" are comprehensive.
If CCPA applies to your business, identify and analyze gaps or loopholes that exist between your present rights management policies and the ones you must enact to fulfill the requirements.
Understand the business activities and processes covered by the law and pay attention to the requirements involving minors.
Have a transparent, clear view of the data usage within your organization. If necessary, develop in-scope data flow map detailing how you sell, collect and disclose personal details. If you already have a map in place, update them with new steps necessary under CCPA.
CCPA individual rights may apply to different activities or processes within your organization, including:
Understand whether your organization will provide financial incentives for consumer data. Under the CCPA, businesses can offer reasonable incentives to consumers as compensation for the sale, deletion, or collection of personal data as long as:
Update your business' individual rights management processes to meet CCPA specifications and ensure your company's existing privacy policies include all disclosures under CCPA.
If your business has contracts in place with third-party vendors with whom your share collected personal information, modify the documentation to include every CCPA provision.
Define processes for handling SARs you receive from customers. Already have SAR policies in response to GDPR? Update them to meet CCPA requirements as well.
The California Attorney General announced multiple changes to the CCPA proposed regulations on 7 February 2020. The modifications included changes to the Right to opt-out, mandatory content of CCPA notices, and the permissible use of data by service providers. Businesses present working toward CCPA compliance should expect the Attorney General to commence enforcement once the rulemaking process concludes.
Most of the modifications are business-friendly:
As soon as the CCPA was enforced at the beginning of the year, plaintiffs filed a data breach class action lawsuit against Hanna Andersson LLC and Salesforce, alleging CCPA violations. While the eventual result of the legal action is unknown right now, the nature of the lawsuit is important. It sends a clear message that CCPA compliance must be a top business priority since it is clearly at the forefront of the minds of consumers.
Aside from addressing CCPA needs, businesses must find solutions to achieve the greater goal of building customer trust. And in the digital economy where a single poor experience is enough to make the customer switch to the competitors, trusted engagements are important. And the CCPA goes a long way in helping achieve the same.
The CCPA aims to help businesses operating in California be as transparent as possible with the way they handle and disclose consumer information. This legislation will pave the way for other state-wide legislation to provide similar privacy protection and data rights.
|US Department of Defense, DoD 5220.22-M (3 passes)|
|US Department of Defense, DoD 5200.22-M (ECE) (7 passes)|
|US Department of Defense, DoD 5200.28-STD (7 passes)|
|Russian Standard – GOST-R-50739-95 (2 passes)|
|B.Schneier’s algorithm (7 passes)|
|German Standard VSITR (7 passes)|
|Peter Gutmann (35 passes)|
|US Army AR 380-19 (3 passes)|
|North Atlantic Treaty Organization-NATO Standard (7 passes)|
|US Air Force AFSSI 5020 (3 passes)|
|Pfitzner algorithm (33 passes)|
|Canadian RCMP TSSIT OPS-II (4 passes)|
|British HMG IS5 (3 passes)|
|Pseudo-random & Zeroes (2 passes)|
|Random Random Zero (6 passes)|
|British HMG IS5 Baseline standard|
|NAVSO P-5239-26 (3 passes)|
|NCSG-TG-025 (3 passes)|
|5 Customized Algorithms & more|