Every organization is obliged to ensure that all the private data handled by different departments are protected against misuse by unscrupulous individuals. To enhance protection mechanisms, various regions have passed laws aimed at compelling all institutions to guarantee security and confidentiality of personally identifiable information (PII). For example, Europe developed the European Union’s General Data Protection Regulation (GDPR).
While the United States lack elaborate data protection laws, the California State has pioneered the process. On September 23, 2018, the Senate passed the Senate Bill 1121 (also called the California Consumer Privacy Act). This law will become fully effective on January 1, 2020, where all the organizations dealing with private data of California residents will have to comply with the regulatory requirements.
California’s New Data Privacy Law: What You Need to Know
What is the CCPA?
The rate of data breaches has been on the rise due to advancement in technology. As such, governments and institutions have endeavored to find a solution to this potentially harmful phenomenon. In California, the citizens and residents of the region agitated for a law to protect the private data of the consumers. They used the Californians for Consumer Privacy to pass their grievances and request the relevant authorities to formulate laws that would safeguard the safety of their data.
As a result of their agitation, the Californian Senate drafted a bill which was quickly incorporated under the California Civil Code thus ensuring that failure to comply would attract penalties.
Who Enforces the CCPA?
California’s Attorney General primarily enforces this regulatory law. The enforcer can impose fines to violators thus ensuring maximum compliance.
Alternatively, any California resident can make a civil lawsuit against a business for non-compliance. In such a case, the company will be required to pay statutory damages and fines if found guilty.
CCPA Violation: What are the Fines and Penalties?
Violating the CCPA regulatory requirements will have a detrimental effect on your business. The statutory damages will range between $100 and $750 for every California resident who reports a violation of data privacy as a result of CCPA non-compliance. Besides the damages, the court is at liberty to impose any other fine that it may find appropriate.
If the violation of CCPA requirements is intentional, then your organization risks being fined up to $7,500. On the other hand, unintentional violations can attract a fine of up to $2,500.
Definition of Personal Data Based on CCPA
CCPA enumerates twelve categories of private data as below:
- All data that is listed as personal in the Civil Code 1798.80
- Real names, postal address, alias, email address, physical address, IP address, passport number, account number, or social security number
- Biometric data
- Anything that defines an individual’s ethnicity, race, gender, sexuality, or any other information classified as “protected” by California or Federal law
- Geolocation data
- Commercial information including purchasing trends, products and services, and property records
- Audio, thermal, electronic, olfactory, and visual information
- Any information that’s obtained from the internet. This includes the cache, browsing history, website interactions, and search history
- Psychometric information
- Data regarding an individual’s academic qualifications, professionalism, and employment history
- Any inference made from the above information
- Any data that is collected from minors
Who Should Comply with CCPA?
CCPA applies to all businesses that meet the criteria below:
- Have the ability to generate a minimum of $25 million as gross revenue annually
- Receives or shares any personal information associated with a California resident. The business should be handling data for a minimum of 50,000 California residents
- Earns approximately half of its revenue by selling personal data belonging to California residents
All the businesses that meet the above criteria are obliged to comply with the regulatory laws. However, all non-profit organizations are exempt from the compliance process.
Who is protected by the CCPA regulations?
CCPA is designed to protect the private data of consumers. According to CCPA, consumers are defined as below:
- All the individuals who have lived in California beyond the allowed temporary period
- All the residents of California whose primary residence is the state but have moved to other states for a temporary period
- All the customers of household goods and services, B-2-B transactions as well as employees working within the state
As such, you will need to comply with this regulation even when your organization operates outside the state. This will occur if you regularly handle data from California residents.
Meaning of “Provide Upon Request”
Any company/organization is required by law to provide personal data available for a specific customer. The business should ensure that it provides several platforms where every individual can request their personal data. Some of the recommended platforms include the inclusion of a toll-free number on the website. Additionally, there should be a section on the organization’s website that allows the consumer to make a formal application for the data. Once this stage is complete, the company should release the information after 45 days from the day of request.
What is the “Right to know”?
The consumer reserves the express right to know how their private data is handled. If it involves a third-party vendor, then the customer is privileged to demand all the contacts details of the vendor as well as an elaborate explanation of how the third-party intends to use the data.
How Businesses Can Comply with the “Right to Know” Requirement
It’s crucial that businesses verify the identity of the customer to avoid releasing the information to the wrong individual. Also, the company should document all the data collected from consumers for the previous year. The consumer reserves the right to know the names and the contact of the third-party vendors involved in handling the data.
Definition of the “Right to Opt Out”
This is the privilege that the consumers must prevent the sale/ disclose of their private information to a third party.
What Business Need to Comply with Opt-Out Requirement
The business should include a conspicuous section on their website that allows the consumers to opt out of any engagement with a third-party vendor.
Have you read?
# Top 500 Best Universities In The World For 2019.
# World’s Top 50 Universities For Medicine And Health Science Degrees, 2019.
# World’s Top 50 Universities For Life Science Degrees, 2019.
# Best Cities In The World For Shopping In 2019.
Track Latest News Live on CEOWORLD magazine and get news updates from the United States and around the world. The views expressed are those of the author and are not necessarily those of the CEOWORLD magazine. Follow CEOWORLD magazine on Twitter and Facebook. For media queries, please contact: firstname.lastname@example.org