On June 28th, 2018, California signed a new law called the California consumer privacy act (CCPA), which went into effect on January 1st, 2020. On July 1st, 2020 this law went into its enforcement phase. What this entails is that California's Attorney General now has the power to take direct action against businesses that fail to comply with the requirements of the CCPA. This new privacy act in California intends to help protect consumer rights and dictate how data is handled both in state and out of state. The CCPA does this by allowing California consumers in-depth data privacy rights and control over their personal information. These rights include the right to know, the right to delete, and the right to opt-out of the sale of personal data that businesses collect. The new law also offers additional protections for minors who are 13 years old and under. For anyone who is marketing and doing business with consumers from California, these new guidelines could pose an issue for you and your business if you don't adjust now to handle the new rules.
Does CCPA apply to you and what businesses are affected?
The CCPA applies to for-profit enterprises that contain any California resident's data in their system. If you are a not-for-profit business or charity, the CCPA guidelines won't apply to your business. You are also exempt if you are a health provider or insurer under HIPPA rules or a credit reporting agency under the fair credit reporting act. If your business falls under the for-profit section, and you handle data that includes California consumers, you must comply with CCPA guidelines.
What to do if you fall under these criteria?
If you meet any of the criteria laid out above by the CCPA and are wondering what your next steps are, the following tips will help outline some major points from the CCPA guidelines. If you have California consumer data stored or are selling and distributing this data to other marketing channels, you must follow these rules and be aware of the California consumer's rights. If you don’t obey the new safeguards, be aware you could face a hefty fine.
CCPA is designed to give the consumer many of the same data protections that are given to GDPR consumers. The main points to be aware of when you are handling the consumer's data is that the consumer has a right to know about how you store their data, access their data, and the right to opt-out of having their data sold without discrimination.
If a California user agrees to have their data stored in your business or on your website, the consumer will then automatically fall under the laws of the CCPA. One new standard some might not be familiar with if they don't handle GDPR consumer's data is that the moment the consumer's data begins being tracked or recorded by your company, the user must be notified and has to agree to any actions you take. An example of this could be when the user first accesses your website. You have them agree to have their traffic monitored and then you will need to supply them with a copy of your company's privacy guidelines once the user has opted in.
Another new rule for California consumer data ties in with a consumer's ability to opt-in and back out. A consumer now has the right to back out at any time from having their data stored, and the company holding this data must do it without any questions. This means that if your business decides to sell any California consumer data to another company at any time, your business is responsible for notifying the consumer of the potential transfer. The consumer must then opt-in to let the new company keep their information as well as have the ability to opt-in or opt-out at any given time or for any future data transfers. The consumer is also then given the right to access their data from your company at any time. With CCPA, the user can request to have access to their data twice a year if they wish. Once requested, the company must provide all the data and information they have stored on that consumer in 45 days. If the company feels they can’t do this, the company can get a 45-day extension period available so that they can avoid fines. Furthermore, CCPA requires that consumer data is stored securely. If a consumer decides to store their information with your company, it will be the company’s responsibility to make sure this is done with robust security standards. However, while there is no specific guideline laid out in the CCPA that you must follow, it is recommended that you try to follow the NIST 800 guidelines when storing this data. NIST is one of the industry standards that is primarily followed and used in the community. It will help make sure you meet the criteria and other industry guidelines that represent best practices for how to protect and monitor data.
CCPA is a win for consumer privacy rights, however, it does make the sales and marketing landscape a little more difficult when trying to approach new customers. Getting in front of these compliance restrictions early will go a long way to making sure your business doesn’t get hit with any unnecessary fines.
Data privacy has been top of mind for the past couple of years, and if your business has been keeping up with it, you should have no issues holding California consumer data securely. If not, perhaps now is the time to invest in the protections needed to ensure your consumers can feel safe knowing that their information is being handled appropriately.
Written by Adam Voss
Adam Voss is a recent cybersecurity graduate from Maryville University with an emphasis on pen-testing. He works at TechGuard as a cybersecurity analyst and is eager to get into the field. When he's not working on projects or expanding his knowledge in the field to get his certs, he can be found doing something that involves physical exercise or rooting for the cardinals or blues.