California Consumer Privacy Act (CCPA): What you need to know

Written by Deepak Rajgopal

In a bid to stop data privacy, data breaches and personal information getting compromised, the state of California, has decided to implement the California Consumer Privacy Act (CCPA), starting coming January, 2020.  This move will facilitate consumers at large and getting done away with a free access or unauthorised access of personal information.

With a goal of increasing transparency, access and control over such personal information and corporate accountability, the state of California (CA) had earlier passed a California Consumer Privacy Act (CCPA)  in June, 2018, to plug these data leaks.  This act will be implemented coming January, 2020, and enforceable in July, 2020, and will apply for the state of CA.

In wake of the CCPA implementation, the role of IT security advisors will become critical as organizations would require IT security advice- in terms of deployable solution, managing their IT security on how data can be made more secure, and how that data that can be shareable.

In this context, the Act classifies personal information as :

  • Personal data
  • IP Address
  • Geo-location data
  • Biometric information
  • Device and Cookie ID’s
  • Interntet activity information like browsing history, purchase history, individual information on race, color, age, sex, religion, genetic information, sexual orientation, political affliction, national origin citizenship status
  • inferences from personal information to understand consumer preference, character, psychological trends behavioural, abilities.

The same Act provides greater rights to consumers such as :

  • Right to know
  • right to equal service and privileges
  • right to access
  • right to erasure
  • right to opt-out
  • protection to minors

Who need to comply to this Act

Companies who also fall within the Act, are governed if :

  • companies generate over $25 million annual gross revenues
  • Collects, shares, buys, sells data of at least 50,000 consumers
  • makes at least 50% revenues from sale of personal information

What is exempt

The CCPA exempts non-profit entities that handle healthcare information, as well as providers and businesses already covered by the Health Insurance Portability and Accountability Act (HIPAA).  In case of wearable tech companies, the data collected is unclear.

Penalties

 In case of default to comply with the Act, penalties will be levied : up to $2500 for negligent violations, $7500 for intentional violations; and $ 100-$750 consumer per incident.

Role of Vendors

 IT Security and service providers will have a big role to play.  Vendors can offer data protection as a service on the lines of managed services, or facilitate companies in appointing a data protection officer.  C-level executives are now realising that compliance is not just limited it being a part-time job, and a significant investment in time for compliance is the very much required. With regulations like GDPR, CCPA there will be creation of newly designated roles such as data protection officer.

Conclusion

 Enactment of this Act is a big welcome to all the residents, how this is going to be implemented and how ready are companies in terms of proper IT security deployments remains a question.  Companies who are into the business of collecting data have to be real smart in complying with the laws.  The need for IT security audit, or IT health assessment will bring the best practices in place.