January 1, 2020 is just around the corner, meaning the California Consumer Privacy Act (CCPA) is coming into effect. Individuals, companies, organizations, anybody and everybody should be preparing themselves and learning about how the CCPA will impact data privacy and regulation in 2020 and for the future.
How does CCPA affect consumers? CCPA is providing California residents with new data rights and management tools, which is meant to increase transparency around how an individuals data is used. These rights include:
- The right to know what personal information is collected.
- The right to opt-out of the sale of personal data
- Right to access collected personal information and request its deletion
- Right to know if personal data is sold or disclosed
- The right against discrimination for exercising rights under the Act.
CCPA’s broad definition of a “sale” includes any form of monetization of personal data. Information that’s associated with a house, like a home router with an IP address or an individual, counts as personal data.
5 Steps to help make sure your business or company are CCPA compliant:
- Know where your data is. If it’s in a cloud environment, manage it using the tools the cloud environment provides.
- Encrypt or redact your data. Without doing this, if there’s a breach and you must provide notification, you risk a class action waiver.
- Systematically monitor and analyze users’ access to data. Application audit logs track user activity so you can see what privileged users are accessing what data, helping you fulfill CCPA requests and preventing privacy breaches.
- Track and respond to opt-out and opt-in requests. If you’re “selling” personal information, you need to offer all users the ability to opt-out of sales of their data. Data mapping can show the difference between when data was sold or if it was just transferred to a service provider, for example.
- Offer two ways for consumers to make requests. CCPA requires multiple avenues for consumers to opt-out of sales of their data.
Are GDPR and CCPA the same? No, GDPR compliance does not equal CCPA compliance. While CCPA’s data subject rights like access, deletion, and data portability are similar to GDPR, the way that you verify requests and consent is different. Unlike GDPR, CCPA provides explicit coverage of devices and household information; if you can associate a device or internet activity with a house of multiple individuals, that’s considered personal data because the individuals all live under the same household. CCPA is quite unlike any previous U.S. law and deviates even from GDPR. Complying with GDPR provides a strong head start on CCPA compliance, but it’s not enough to fulfill all the Act’s requirements.
January 1 is fast approaching, but it is not the end all be all of data regulation. The CCPA will continue to evolve and adapt as times change. Along the way, other states like Maryland and Massachusetts will likely create their own versions of CCPA, which can affect your privacy management even further. Eventually America will adapt some sort of federal privacy law, but for now it is important to stay up-to-date on all things relating to CCPA.