California now has the most stringent data protection law in effect of any state. And, the California Consumer Privacy Act 2018 (CCPA) goes beyond the General Data Protection Regulation (GDPR) instituted by the European Commission in 2018.
Essentially, law AB 375 grants Californians the ability to demand to see all the information a company has saved on them, including a complete list of all third–party vendors with whom a consumer’s data is shared.
Companies, meeting specific criteria*, operating in California must perform certain duties or face hefty fines:
- Disclose what specific personal information is collected.
- Inform consumers of the purpose and use of the data collected.
- Disclose and deliver personal information collected at no charge upon request from the consumer.
- Retain any personal information collected.
- Manage and maintain all personal information collected.
- Inform consumers of data breaches.
*Which companies must comply?
- $25M or more in annual gross revenue
- The company is buying, selling, or sharing personal information on more than 50k consumers
- Over half of the company’s annual revenue must be derived from selling said personal data
While the new law relates to a sub-set of companies, the protections for consumers could set the standard for other states:
- Consumers can know what personal data is being collected
- Discover what information is sold or shared and with what organizations (aka third-parties)
- Access their collected/shared information within 45 days of the request
- Consumers can ask that their personal data not be collected and/or to have data deleted
Penalties are significant — up to $7,500 per record for intentional violation of any provision of the CCPA.
Expanding a company’s effort beyond GDPR will not be adequate. CCPA is different from GDPR in several vital aspects
- CCPA is more prescriptive than GDPR concerning communication with consumers, breach notification, and timing, as well as how PII data is managed.
- CCPA provides a more specific definition of how data – consumer and personal.
- CCPA rules more directly affect how third-party vendors are addressed.
If your company does business in California and you fit the above criteria, what should you do to comply? CyLumena suggests the following immediate steps:
- Assess your current data privacy protection, processes, and governance
- Conduct data inventories and data mapping to ensure your practices meet CCPA
- Modernize policies around data usage, consumer consent, and how consumers can opt-in or out
- Ensure that your current consumer data policies are adequately practiced
- Review and update, as needed, your consumer communication process and tasks when responding to inquiries and requests
CyLumena can help ensure that your company is compliant with CCPA and GDPR. Additionally, our team can review your philosophy, standards, and practices regarding how data monetization is managed from a cybersecurity perspective.