Modeled after the European Union’s General Data Protection Regulation (GDPR), which was brought into force at the beginning of May 2018, the California Consumer Privacy Act (CCPA) was signed into law in June of the same year and although the requirements do not go into effect until Jan 1, 2020, many are already deliberating if it will spread its roots to more states, provoking them to follow suit and enact privacy laws of their own.
As it stands, companies and any for-profit businesses that deal with the collection and processing of California state residents’ personal information or do business in the state will have to comply. In addition, the business must fall into one of the following criteria for it to apply, these are:
The business should generate an annual gross revenue of over $25 million
The business should determine a minimum of 50% of its annual revenue by the sales of the personal information of California residents
The business should annually receive or share the personal information of 50k or more California residents
The rise in the threat of data breaches means that the likelihood of similar regulations coming in to force throughout the U.S. is a real possibility in a means to protect the general public. With regulations in data privacy generally having heavy penalties in place for noncompliance, having regulations in place will help ensure that businesses do the right thing, even if solely to avoid fines.
Consumers are also beginning to see that their data is worth something and will no longer give it up freely, adapting the way that they share their personal information, with whom, and how much is shared is now on the forefront of their minds. They want to know how it is going to be used and what they get from sharing their information. The CCPA gives consumers new rights which give them more control over their personal information. These are:
With the prospect of more states developing regulations to match the CCPA, it leads to a need for collaboration between the government and industry to decide on general policy protections and best practices.
Establishing national guidelines becomes increasingly important as state-level initiatives become unbalanced and a challenge for businesses and agencies to implement, for example, in Europe, the concern is growing about the extent of the implementation and consistent application of the GDPR rules across its EU member states.
Financial constraints and the lack of enough human resources for the national data protection authorities (DPAs), particularly in countries such as Spain, Italy, Romania, and Greece do not get the resources needed to effectively perform their tasks or to put their powers to use. This creates a challenge in assistance and cooperation between the DPAs and the EU.
The GDPR continues to address early adoption issues, and the CCPA may not have gone into effect just yet – but businesses should start to formulate a plan even if the law may not impact them.
More regulation is coming and being preparing for the future is the best course of action, including ensuring that every organization serving the public has security solutions in place, including ensuring all data is secured against cybercrime, and all individuals within an organization are being observed and managed, reducing internal threats and external attacks.
Author: Ali Gomulu