In 2018, California passed the California Consumer Privacy Act (CCPA), which grants California residents the right to knowledge concerning the data harvested from them by corporations and control over its dissemination. The CCPA includes six key principles with respect to data protection for California residents, who have the rights to:
- Know when companies are collecting their data, and how much;
- Know whether any data collector sells or otherwise discloses the data to another party;
- Refuse sale of their personal data;
- Access any personal data collected;
- Demand that personal data previously collected be deleted; and
- Not to face discrimination for exercising the other five rights.
In other words, if you live in California, you’ve got a right to know what corporations know about you – and the ability to stop them from sharing it with other companies. It doesn’t apply to every company, only to businesses over a certain revenue threshold that make significant profits off of consumer data. But that describes a lot of companies out there, and it probably includes your bank, in part because the CCPA applies to any company that uses the data of California residents whether or not the company itself is located in California.
If you’re steering the company ship, what can you do to comply with the CCPA and protect your reputation? To start, since customers have the right to know what data a company holds and whether it’s sold or transferred to another entity, internal recordkeeping is more vital than ever. If you maintain accurate records that trace the movement of any given customer’s data in order to be able to provide it back to the customer on request, you’re in good shape.
It also pays to install protocols both for protecting and destroying data, as customers are allowed to refuse the sale of their data or demand it be deleted. Let’s say a customer calls and requests their data be purged. You remove it from your company’s internal system, but then what? To satisfy the customer and remain in compliance with the CCPA, you’ll need to audit vendors or other entities you regularly work with to ensure you’re all securely on the same page. Controlling the data that you share externally in the first place by using a program like ALTR can help. Instead of giving every vendor unchecked access to the entire pool of customer data, ALTR dynamically mask chosen fields and only gives each vendor access to exactly what they need to complete their work. Along with controlling what they see, you can also control how much by imposing thresholds that will block access once limits are exceeded, preventing a breach in real time. Curbing the flow of data this way makes it easier to fulfill those customer requests.
When it comes to customer calls, the CCPA gives companies 45 days to respond to consumer data requests. Creating a team specifically trained to respond to data requests within this timeframe will put your company ahead of the curve. Training a few key employees to efficiently and easily respond to requests will almost certainly be easier than scrambling to comply only after requests have started to pile up. ALTR’s Data Access Monitoring as a Service can help the team to identify who accessed what data, when they accessed it, and how much was viewed, and give that information directly back to the customer in real time. Logging all data requests and responses immutably, you now have an audit trail that makes compliance easy.
While the CCPA does not go as far as its New York counterpart act with respect to potential lawsuits, leaving enforcement primarily to the office of the attorney general, it’s of course better to avoid lawsuits altogether by ensuring you’re in compliance. California will thank you, and so will your customers.
To learn how ALTR is helping organizations like yours, check out our latest CCPA case study.
For more details about CCPA and GDPR, check out the chart below:
CCPA & GDPR – What You Need to Know
|Who is Protected?||Consumers (California residents that live in California for other than a temporary purpose). Cal. Civ. Code § 1798.140(g) and Cal. Code Regs. tit. 18, §17014.||Any identifiable persons to which personal data relates (EU specifically). Article 4(1)|
|What Information is Protected?||Personal information that can be reasonably linked to a particular consumer or household. Cal. Civ. Code §§ 1798.140(o) and 1798.145(c)-(f).||Any information relating to an identified or identifiable data subject. Article 4(1) and 9(1)||Security||The CCPA establishes a right of action for certain data breaches that are a result of a business’s duty to implement and maintain reasonable security practices. Cal. Civ. Code § 1798.150(a)(1)||The GDPR requires data controllers and data processors to take appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Article 24(1)|
|Right of Disclosure or Access||Consumers can request to disclose their data and to receive additional details about who has it. Cal. Civ. Code §§ 1798.100(d), 1798.110, 1798.115.||Data subjects can access their personal data and obtain information about the processing of it. Article 15|
|Right of Data Portability||If asked, a business must provide personal information to the consumer in a readily use-able format. Cal. Civ. Code §§ 1798.100(d) and 1798.130(a)(2).||If asked, a business must provide data subjects with a copy of their personal data in a commonly used format and must maintain the ability to transmit the personal data to another data controller. Article 20||Responding to Rights Requested||A business must respond within 45 days after receipt of a consumer’s request and must provide the requested information free of charge. Cal. Civ. Code §§ 1798.100(c)- (d), 1798.105(c), 1798.110(b), 1798.115(b), 1798.130(a)(2), (b), 1798.140 (y), and 1798.145(g).||Must respond to a verified request within one month (unless notice is given that it will take longer). Requests do not have to be free. Article 12|
|Penalties||Consumers may seek the greater of actual damages or statutory damages ranging from $100 to $750 per consumer per incident. The California AG may bring civil penalties ranging from $2500 to $7500. There is a 30-day cure period. Cal. Civ. Code § 1798.150 and §1798.155||Any information relating to an identified or identifiable data subject. Article 4(1) and 9(1)|