Recently, we discussed California’s sweeping new consumer data privacy law, called the California Consumers Protection Act (CCPA). This law, slated for full enforcement in the first half of 2020, imposes new, stringent requirements regarding the security and privacy of personally identifying information related to California residents. Because most large U.S. businesses meet the criteria that make them subject to CCPA, the law’s influence will extend far beyond California’s borders.
Today we dive a bit deeper into what’s known about the law’s requirements and how data mapping can help with CCPA compliance.
CCPA Compliance Requirements
At the time of this writing, the details of CCPA compliance requirements are not known; the California Attorney General is expected to publish regulations supporting the law in early 2020. However, from the text of the law, we know the following:
– CCPA does not prohibit businesses from selling personal information, but it does require businesses to enable adult California residents to opt out, that is, to actively indicate that they do not want their personal information sold or otherwise distributed.
– The phrase “adult California residents” is significant. Businesses must receive minors’ (ages 13-16) prior consent before selling their personal information (i.e., they must be “opted out” by default). For California residents under age 13, prior consent must be given by a parent or guardian.
– CCPA includes certain requirements for businesses’ privacy policies. Privacy policies must include, among other things, information about what personal information the business can sell and how to opt out. They should also offer methods for consumers to request to view, update, or delete their personal information held by a company subject to the law.
– “Personal information” includes names, physical addresses, email addresses, Social Security numbers, other official identifiers (such as driver’s license numbers), account numbers, geolocation data, and data that can be linked to an individual or household. Other information in this category includes electronic identifiers such as biometric data, IP addresses, and device MAC addresses.
Are CCPA and GDPR the Same?
A common misconception is that CCPA is simply California’s version of the European Union’s General Data Privacy Regulation (GDPR). But compliance with one doesn’t automatically mean a business is compliant with the other. There is a great deal of overlap between the two laws, there are some differences as well, so businesses subject to both need to ensure they are fully compliant with each regulation.
CCPA Data Mapping
The exact means for enforcing CCPA are not yet known, though the penalties are spelled out clearly. A company will be fined up to $7,500 per data disclosed unless the company remedies the violation within 30 days. If the violation is found to be unintentional, the fine will be $2,500. It’s a safe bet the regulations will provide for some investigational procedures for suspected violations as well as routine compliance audits.
In such investigations and audits, your business will be expected to show that it is compliant with the law. This means that you will need to be able to show:
– Where personal data is stored
– How it is structured
– Where it comes from
– How it propagates through the company’s data environment
– How it is protected and used
– How it is controlled to prevent inappropriate sale or distribution of personal data
All of this is greatly simplified by the use of comprehensive data mapping tools. By using a simple, intuitive, graphical presentation, these tools can make it much easier to show compliance with CCPA and any other data protection regulation now in existence or being contemplated.
If your business may be subject to CCPA, it’s absolutely worthwhile to look into implementing an automatic data mapping tool, like Octopai, in your organization’s data environment.