In June 2018, California legislators passed the California Consumer Privacy Act (aka CaCPA or CCPA). CaCPA’s rapid passage – it started as a ballot initiative that was removed in favor of a legislative replacement that went from draft to law in less than a week – creates a number of challenges for companies due to a number of ambiguities and issues in the law that make achieving compliance a complex task.
But it does create an opportunity for companies to step up and distinguish themselves through strong data governance and data ethics programs. CCPA compliance will help companies bolster their commitments to honoring consumer choices as well demonstrating transparency and trust.
What Is CCPA ?
The California Consumer Privacy Act (CCPA) is the most comprehensive privacy law in the country. Targeted at companies that collect and/or sell personal information, it is designed to give Californians more control over their own data.
The following are among the major new data protections CCPA introduces:
- Right to access information – Consumers in California will be able to know the “what, who, and why” surrounding their personal information. Specifically, they can request the following, which must be provided in a digestible format:
- Which categories of information were collected and sold
- From whom this information was collected, with whom it was shared, and to whom it was sold
- Why it was collected
- Right to deletion – Consumers in California will be able to request that a company delete the personal information it has collected about them.
- Right to opt out – Consumers in California will be able to direct a company to not sell their personal information to third parties (although the definition of “sell” in the bill is broader than simply monetary exchange).
Although it was passed in June 2018, California Consumer Privacy Act will go into effect on January 1, 2020. As a result, companies can expect California legislators to continue to clarify and amend CCPA leading up to the enforcement date. A number of amendments have already been passed, including the introduction of a six-month enforcement grace period to July 1, 2020.
Does GDPR Compliance Cover CCPA Compliance?
Even though California Consumer Privacy Act has been dubbed “California’s Mini-GDPR,” it is not interchangeable with the EU’s data protection regulation. There are distinct differences between the two pieces of legislation, the most significant of which is the definition of personal information.
CaCPA’s take on what constitutes “personal information,” shared below, is even broader than GDPR’s definition:
“Personal information” is anything that identifies, relates to, describes, or is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
As outlined, the California Consumer Privacy Act encompasses virtually every interaction in the digital space, putting companies under significant compliance obligations. For organizations that are already down the path to GDPR compliance, CCPA compliance will be much easier, but still require serious effort.
How to Achieve CCPA Compliance
To comply with California Consumer Privacy Act , companies should start with the following:
- Establish processes for facilitating consumer requests – Companies need to put mechanisms in place to effectively and efficiently respond to consumer requests to access and delete their personal information and opt out of having it sold. Notably, although CaCPA goes into effect on January 1, 2020, consumers will have the right to request access to their data from the preceding 12 months. This means companies must be prepared to provide this information dating back to January 1, 2019, underscoring the importance of starting compliance efforts early.
- Revise privacy policies and websites – Beyond the expected privacy policy adjustments necessary to comply with new regulations, CCPA also requires companies to modify their digital properties. For instance, to comply with the opt-out notice, companies must provide a clearly visible link on the home page of their website to make it easy for the consumer to opt out of selling their data to third parties.
- Bolster partner and vendor evaluations and controls – Many consumer experiences are enabled by various SDKs and APIs. Under the California Consumer Privacy Act, companies will likely be affected by the data collection, sharing, and selling practices of their partners and vendors, creating a need for business and legal teams to perform thorough vetting of all parties involved.
Of course, it takes organizational commitment and a clear methodology to build a data ethics program that goes above and beyond regulation. Doing so is the only way to control your future for the complexity that will result from the present and future applications of data usage.
Learn more about achieving California Consumer Privacy Act compliance on our blog.