With the California Consumer Privacy Act (CCPA) coming into effect in January 2020, all eyes are on the UK to see what lessons can be carried across the pond. Just like the GDPR, the CCPA legislation is designed to enhance privacy rights and consumer protection for residents, affecting every business across the USA with customers in California. Scroll down the page to learn how to put the CCPA into practice.
Generation privacy has begun
In the last 12 months, data privacy has moved from a niche topic to something talked about at almost every corporation’s boardroom.
Unlike the UK, where data privacy was already a prevalent part of our business operations due to the long-standing Data Protection Act, many US-based companies haven’t previously been regulated. It means that complying with the CCPA is a huge change.
Exonar simplifies the California Consumer Privacy Act (CCPA) by getting right to the heart of the matter: Finding, Mapping and Managing your data.
How Exonar can help with CCPA
Data Subject Access Requests
Right To Be Forgotten
Meet the Personal Data Privacy dashboard
Exonar’s Privacy dashboard provides a top-down view of your organisation’s information in relation to the California Consumer Privacy Act (CCPA).
It shows a comprehensive picture of all the data held which is relevant to the law, where it is held and its characteristics.
This view will take your organisation beyond spreadsheets and interviews, and into the realm of making well-informed decisions, rapidly.
Preparing for the CCPA
Preparing for the CCPA shares many characteristics with those undertaken for GDPR:
a. Assemble the team
Include Executive Sponsors and stakeholders from Legal, Compliance or your data privacy team, people with oversight of your corporation’s technology and it’s security, and representatives from the key personal data owners in your business (e.g. HR, Sales, Marketing, Customer Service).
b. Get started with a data inventory
Prioritise information stores likely to contain personal data and those with poor governance. Be practical, start with those that are easy to create an inventory from.
Don’t rely on your corporation’s answers to questionnaires for your data inventory, or you will get an idealistic view of your risk. For instance, your head of marketing is likely to say the personal data they process is in the marketing system, forgetting that it got there via email and has been exported into spreadsheets. You will need technology like Exonar to operationalise this effectively.
c. Establish a culture of security and privacy
This needs to ingrained into your day-to-day operations. Communicate a simplified overview of CCPA to the key stakeholders.
d. Create and practise your business processes
Look at what will be required to satisfy the rights of the individual (Access to data, erasure, breach notification).
There are many similarities and some key differences between GDPR and CCPA. Here is Exonar’s take:
Basis for Consent
Who it applies to
Any organisation holding personal data on EU citizens
For-profit entities that process personal data of California residents and either:
1. Do $24 million in annual revenue
2. Hold the personal data of 50,000 people, households, or devices
3. Do at least half of their revenue in the sale of personal data.
Rights for Individuals
Access to data being held, right to erasure, correction, object to automated processing. Right to notification if there is a data breach.
Right to disclosure and objection relating to who data is being sold to, no discrimination if individual objects to data sold. Right of access to data being held. Right to know how personal data is being used. Right to know who data has been provided to.
When does it come into force
May 25, 2018
Jan 1, 2020
4% of turnover or €20m (whichever is greater)
$7,500 per violation. $750 or actual damages for each individual, whichever is greater
Time allowed to respond to a request
NB, California resident is defined as, “(1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose.
The Definitive, Easily Searchable Text
Follow the link below to read the full California Consumer Privacy Act text, with each section clearly marked and searchable.
The legislature passing of the California Consumer Privacy Act 2018 (AB 375) happened on June 29th 2018, and these new rules will now govern most organisations holding data on US Citizens.