The European privacy law – GDPR – raised a lot of issues in organizations across the world that provide products and services to EU citizens. But GDPR is just the first of many new privacy laws organizations need to think about. NYDFS has also caused its share of challenges for companies that operate in New York, and now California is in the process of enacting its own privacy law – The California Consumer Privacy Act 2018 (CCPA).
Privacy is top of mind
Officially in effect as of May 2018, it seems like companies are getting a handle on what needs to be done to ensure compliance with GDPR. The GDPR applies to people or companies located in or doing business in the EU and involves several key rights for “data subjects” (those in the EU affected by the regulation):
- The right to know if you have their personal data
- The right to see what data you have and request it be updated
- The right to get a copy of it
- The right to request you delete it (also called the right to be forgotten) – and prove you removed it
- The right to data portability – you have to package it up and send it to another party – typically a competitor
These data subject rights require many organizations to change the way they store personal information. With much of this information stored across a number of repositories in the organization, it can be virtually impossible to get a clear picture of what the company has, let alone find it all in order to delete it at the consumer’s request.
NYDFS is a cybersecurity regulation out of New York that has resulted in similar challenges for organizations dealing with consumers in that state and extended the requirements to include the application of retention periods. Now, California has joined the efforts to protect the privacy of its citizens.
What is the CCPA?
The California Consumer Privacy Act 2018 (CCPA) was passed in June of 2018 and goes into effect on January 2020. It is similar in many ways to the EU GDPR, but it’s not simply a mirror privacy regulation.
CCPA applies to “natural persons who are California residents.” It gives them:
- The right to know what personal information a company has collected on them, where it was collected, what it’s used for
- If that information was sold to third-party, who that third-party was.
- The right to have their personal information deleted and
- To not allow a company to sell their personal information to other companies.
- The right to still be treated equally regarding service and pricing if they do opt out or don’t want their information sold
It’s important to note that there are exceptions to these rights, so read through the regulation carefully to understand if an exception might apply to how you deal with personal data.
What do companies need to do?
- Provide two ways for a citizen to make an information request – the minimum being a toll-free number and something on the website.
- Provide clear guidance in their privacy policies what information they collected and why. These policies must be updated every 12 months.
- Provide the requested information either physically or electronically, and if electronically, it needs to be in a format that’s easy to understand and transportable to another company. It also needs to be categorized according to define categories in the regulation.
- Ensure all information collected is secure and not susceptible to security breach/hacking.
A company has 45 days to respond to a request and must share all information it has collected in the last 12 months. There can be extensions, but they must be a good reason and the person requesting the information must be notified. A person can make a request up to two times in a twelve month period.
The CCPA does not apply to all companies doing business in California. It applies to for-profit companies that process personal data of California residents and either:
- Have $24 million in annual revenue
- Hold personal data of 50,000 people, households or devices
- Do at least half their revenue in the sale of personal data
The penalties for not complying range from $100-750 per individual/incident or personal damages (if greater) and $7500 per violation.
What CCPA means for information governance
Any company that has customers, or is trying to get customers in California must put processes in place to comply with the CCPA, and that has implications for information governance processes in a few ways.
- Finding Personal Data Across the Organization: If a person requests to know what personal information you store on them and how it was collected, you need to have that view of their data across the organization and a way to search it. You will also need to pull that information into a readable, shareable format.
- Information collected must be organized by specific categories defined in the regulations. This will affect the categories, content types, and metadata you manage on the information you capture. Some examples of categories would include identifiers such as name, social security number, IP address, email and more; commercial information, biometric data, Internet or electronic network activity information (browsing history, search history, clickstream, cookies, etc.), geolocation data and more.
- Storage of information for a 12 month period: The CCPA requires you to provide all personal information you have collected in the twelve-month period preceding the request, so you will need a way to store and manage this information even if you no longer use it.
- Secure Information: You are required to ensure all personal information collected is secure and not at risk of exposure to outside individuals. This can be a challenge for organizations allowing employees to store personal information (intentionally or not) in unsecured locations.
These processes are not unique to the CCPA. They are typical use cases organizations face in a variety of situations. So the good news is that you don’t have to reinvent the wheel to get in compliance. The recommended approach to getting in compliance for GDPR applies here as well:
- Prepare an inventory of every location in which you may store personal information (intentionally or not)
- Identify personal and sensitive information wherever it is located, tag it and take whatever action is needed (move, delete or mask) to bring it into compliance with your policy
- Design and test a system for supporting CA citizen rights and requests.
- Prepare CCPA-level consent management for how personal information is used/shared
- Plan for ongoing support.
There are tools available to support the CCPA including file and content analytics, archiving and records management. When you are ready, we can show you how Everteam helps organizations support compliance regulations like CCPA, GDPR, and NYDFS by documenting policies, finding sensitive data and applying retention rules to classified content.