The California Consumer Privacy Act (CCPA) has been in effect since the beginning of 2020. This new legislation requires certain businesses to disclose what personal data they hold to customers requesting that information. This is considered a landmark piece of legislation to secure California residents’ privacy rights. While it’s still unclear how much this legislation will impact businesses, there are rights set in place for what consumers can expect.
New Rights for California Consumers:
- Knowing what personal information is collected, used, shared or sold.
- Having the right to delete personal information held by businesses, and by extension business’s service providers.
- Exercising the right to opt-out of sale of personal information. (Children under 16 must provide opt-in consent. Children under 13 need parental or guardian consent.)
- Having the right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA.
So how will this impact the rest of the country? For one, California is not the only state to enact this sort of legislation. According to CNET, Nevada and Maine have already passed similar legislation and 11 other states are also considering privacy bills.
Another way it could impact more than just California residents is that some of the businesses complying with the CCPA are offering the same privacy rights to ALL U.S. customers, not just the ones who live in the Golden State. That means if you live in Iowa and want to know what a California business has on file about you, you may be able to find out and request it be removed from their servers.
How CCPA Compares to GDPR
While this new push for privacy may seem progressive to Americans, it’s been a part of European business practices for two years now and in a more aggressive way. The General Data Protection Regulation (GDPR) went into effect in 2018. The goal of the GDPR is to give individuals control over their own personal data. EU, EEA, and UK residents now have access to and can correct, delete, and export personal information. The GDPR also has more privacy controls in place, and much steeper fines and penalties for those who don’t comply.
These provisions apply to almost all organizations that collect data from EU, EEA, and UK individuals. That includes small businesses, non-profits, non-technology companies, and organizations operating outside of Europe.
The GDPR is also designed to make following regulations easier to comply with for groups working internationally. Under these parameters, organizations only have one set of privacy laws to understand and abide by, rather than a new set of laws for each country within the region.
Federal Privacy Law Potential
This sort of universal legislation may be something we see in the United States in the near future. With more states creating their own guidelines, there is talk of new, federal privacy legislation.
This possibility of federal privacy laws resembling the CCPA or GDRP is growing more likely after two U.S. Senators proposed legislation that would be stricter than the CCPA in some respects. According to the Brookings Institute, Senator Roger Wicker (R-MS) and Senator Maria Cantwell (D-WA) proposed bills that place stricter limitations on algorithmic decision-making, biometric data, and data minimization.
Federal legislation has been reassuring to some businesses already following CCPA. The concern is that each state will enact their own privacy laws, making it difficult for companies to keep up with so many different sets of rules. However, even though federal law supersedes state law, some federal laws allow states to enact tougher requirements on top of the federal regulations.
Concerns Over Privacy Legislation
As with any significant change, there are some concerns being raised over the stricter privacy laws. One case out of Germany shows why the concerns may be justified. An Amazon Alexa user requested all of his audio files the device had picked up. Instead, he was given 1,700 audio files from the wrong home. Amazon blamed the mistake on “human error” and said it was an isolated incident.
That’s just one example of how requesting a legitimate customer’s private data could also be acquired by the wrong person. However, even when businesses try to avoid this sort of mistake, the possibility of critical information getting into the hands of a criminal is there. That’s why some California businesses are now setting stricter guidelines for customers wanting to access their own data.
A New York Times article outlines a recent situation in which a business trying to comply with CCPA hired a third-party vendor to handle the influx of customer information requests. The vendor started verifying these requests by asking customers to supply more identification. This was typically done by asking for images of customers’ driver’s licenses and even additional photos of customers’ smiling. This sort of extra information was concerning to some customers. In short, the business wanted more private data to release the customer’s private data.
It appears to be a cyber security cycle that organizations are still trying to figure out. What is designed to help protect your data could put you at risk of exposing even more personal information.
What You Can Do
Being that this legislation is so new, businesses could use early compliance as an advantage. Using the time and resources needed to become CCPA or GDPR compliant could put you a step above the competition. Touting an emphasis on privacy is appealing to many consumers.
Even if you’re not proactive with privacy for a business boost, you should start considering what compliance will look like for your organization. Companies should accept the fact that privacy rights are a growing concern and new legislation will be coming.
Here are a few steps your business should be taking now to get ready:
1. Designate a privacy officer, someone in charge of organizing the process to become compliant.
2. Be externally compliant. Update your privacy notice on your company website.
3. Think about data inventory. Know where information is located within your system.
4. Figure out how you will be able to obtain and report customer information when requested.
5. Decide on a verification process to ensure the data your giving out is to the correct person.
Figuring this all out may not be easy but getting to work on it early could save you a lot of issues and headaches later. Regardless if it’s CCPA or another piece of legislation, this is something many businesses will need to respond to. It’s up to each company to decide if they want to be proactive or reactive.
If you need help with objectives like inventory, security controls, process recommendations, or who to reach out to for legal compliance, Pratum representatives work with national and international businesses every day. A Pratum cybersecurity expert would be happy to help guide you through the privacy legislation process.