Dec 19 2019

Data Privacy Law Makes Landfall in California

An unstoppable force has crossed the Atlantic and landed on our shores. Now, the eye of the storm is in California, and the rest of the country will feel its impact.

Data Privacy, a significant idea that has long demanded attention, was codified and implemented by the European Union in 2018 as the General Data Protection Regulation (“GDPR”). In response, advocacy for Data Privacy has grown in the United States.

Any consumer thinking about privacy can surely understand that our data is a proprietary asset that each one of us should be able to protect from sale and unauthorized disclosure. California, a state that is regularly the first to enact protections, has taken Data Privacy seriously, and signed into law the California Consumer Privacy Act (“CCPA”).

What does this mean?

The CCPA will go into effect on January 1, 2020. Make no mistake, this is an important step in the right direction for data privacy efforts nationwide (see the “California Effect”). As a result, businesses are now mandated to comply with a new, critical set of controls in an already complicated data environment with competing federal, state, and industry-level regulations and frameworks. It also doesn’t help that there’s ambiguity around some of the directives outlined in the law, which will require diligent consideration.

While the CCPA is a state law, there’s a realistic chance that your organization, whether directly or through a third-party, handles *some* data on natural persons and/or residents of California, which is how the CCPA defines a “consumer”, and thus your organization likely has an obligation to adhere to the law.

How will my organization be impacted?

To get you up to speed, here are a few highlights:

  • CCPA applies only to for-profit entities that do business with a party residing in California, and meets any of the following thresholds:
    • Annual gross revenue in excess of $25 million
    • Buys, sells, or discloses the personal information of 50,000 or more consumers, households, or devices
    • Derives 50% or more of its annual revenues from selling consumers’ personal information
    • Also includes entities that is controlled by a business that has at least 50% ownership or voting shares
    • An important distinction – CCPA does NOT apply to non-profit organizations
  • CCPA defines personal information as data, whether electronic or paper, that identifies a consumer or household.
  • Data concerning other security and privacy regulations (such as the Gramm-Leach-Bliley Act (“GLBA”) or HIPAA is excluded from the CCPA.
  • Similar to GDPR, the CCPA affords consumers ‘right-of-access’ to their personal information gathered by businesses over the course of a year, as well as a disclosure of how that information is gathered, utilized, and shared (if at all).
  • Consumers are also provided ‘right-to-deletion’ and right to opt out of having their information being sold to third parties. Part of this requirement includes having a “Do Not Sell My Information” function and/or button on the business’s homepage.
  • Businesses are required to give, and make readily available and easily readable, notice to consumers of their CCPA rights. Business have 45 to 185 days to respond to consumer requests, depending on the complexity of the request.
  • Businesses are not considered liable for CCPA violations made by third-party vendors; however, this limitation of liability does not apply if the business was aware, or was negligent in not knowing, that a third-party was in violation of the CCPA.
  • If a CCPA violation occurs, businesses could be required to pay $100-750 per consumer per incident, in addition to other penalties.

What should I do?

Data Privacy has been squarely in the limelight thanks to Facebook, Cambridge Analytica, and the 2016 US election. Data has become the most valuable asset on the planet, and governments are now requiring its protection. If you haven’t realized yet, security and privacy compliance isn’t going away. It’s now a part of doing business in today’s marketplace.

Before you find yourself underwater, check in with your compliance team to determine whether your business is required to adhere to the CCPA now or in the near future.

Any additional resources I should be aware of?

You can find the CCPA full text on the California Legislature website to read up on the specifics.

HITRUST, a standards organization, offers a formal certification that incorporates the CCPA requirements in addition to other international and national frameworks and standards (such as NIST, ISO, HIPAA).  You can learn more about this certification here.

You can also get in touch with us by dropping us line on our Contact page. We’re happy to answer any questions you may have.

Photo by NASA Earth Observatory