Modeled after the European Union’s General Data Protection Regulation (GDPR), which was brought into force at the beginning of May 2018, the California Consumer Privacy Act (CCPA) was signed into law in June of the same year and although the requirements do not go into effect until Jan 1, 2020, many are already deliberating if it will spread its roots to more states, provoking them to follow suit and enact privacy laws of their own.
As it stands, companies and any for-profit businesses that deal with the collection and processing of California state residents’ personal information or do business in the state will have to comply. In addition, the business must fall into one of the following criteria for it to apply, these are:
- The business should generate an annual gross revenue of over $25 million
- The business should determine a minimum of 50% of its annual revenue by the sales of the personal information of California residents
- The business should annually receive or share the personal information of 50k or more California residents
The rise in the threat of data breaches means that the likelihood of similar regulations coming in to force throughout the U.S. is a real possibility in a means to protect the general public. With regulations in data privacy generally having heavy penalties in place for noncompliance, having regulations in place will help ensure that businesses do the right thing, even if solely to avoid fines.
Consumers are also beginning to see that their data is worth something and will no longer give it up freely, adapting the way that they share their personal information, with whom, and how much is shared is now on the forefront of their minds. They want to know how it is going to be used and what they get from sharing their information. The CCPA gives consumers new rights which give them more control over their personal information. These are:
- Businesses must let consumers know what personal information is being collected from them. How it is being collected and used and if and to whom it is being disclosed or sold to.
- Consumers must be presented with an easy process to opt-out of having their personal information sold to a third party.
- Consumers can request that a business remove any personal information that they may have on the consumer and businesses must inform the consumer that they have this right. The information must also be deleted by any third party with whom the business may have shared the consumer’s personal information.
- A business cannot discriminate against a consumer who has asked for their information to be deleted. This prevents companies from charging a fee because they exercised a right under the new regulation.
With the prospect of more states developing regulations to match the CCPA, it leads to a need for collaboration between the government and industry to decide on general policy protections and best practices.
Establishing national guidelines becomes increasingly important as state-level initiatives become unbalanced and a challenge for businesses and agencies to implement, for example, in Europe, the concern is growing about the extent of the implementation and consistent application of the GDPR rules across its EU member states.
Financial constraints and the lack of enough human resources for the national data protection authorities (DPAs), particularly in countries such as Spain, Italy, Romania, and Greece do not get the resources needed to effectively perform their tasks or to put their powers to use. This creates a challenge in assistance and cooperation between the DPAs and the EU.
The GDPR continues to address early adoption issues, and the CCPA may not have gone into effect just yet – but businesses should start to formulate a plan even if the law may not impact them.
More regulation is coming and being preparing for the future is the best course of action, including ensuring that every organization serving the public has security solutions in place, including ensuring all data is secured against cybercrime, and all individuals within an organization are being observed and managed, reducing internal threats and external attacks.
Author: Ali Gomulu