Data has become one of the most valuable resources on the planet, so it's only right that governments are imposing regulations on how this data is processed, used, and disclosed by companies everywhere.
As part of regulatory compliance, the California Consumer Privacy Act (CCPA) is the next regulation we're all getting ready for.
But there are currently 80 countries that have passed privacy laws specific to personal data.
It's been over two years since The Economist published their "The world’s most valuable resource is no longer oil, but data" piece. Since then, there have been plenty of people who have disagreed with this notion (just for the sake of disagreeing sometimes).
If nothing else, David Parkins' editorial cartoon featured inside the piece certainly made its rounds around the internet:
After all, who doesn't love a dark and satirical cartoon illustration of the data-slurping tech giants as we know them?
But holding conglomerates accountable is just one part of what the CCPA stands for.Such dominance has prompted calls for the tech giants to be broken up, as Standard Oil was in the early 20th century. This newspaper has argued against such drastic action in the past. Size alone is not a crime.
— The Economist, May 6, 2017
As consumers and decent citizens of the world, we can all appreciate having laws enacted to protect the privacy of our personal data.
And as business owners and working professionals, we definitely want to stay on the right side of the law. After all, growing your business and respecting data privacy shouldn't be mutually exclusive.
That’s why both the General Data Protection Regulation (GDPR) and CCPA aim to pretty much do the same:
This includes your visitors or contractors you do business with. Who counts as a visitor? The visitor types can vary from company to company.
So let's dig a bit deeper into the business implications of CCPA, and the steps you can take to remain compliant.
The California Consumer Privacy Act (CCPA) "enhances" privacy rights and consumer protections for California residents. It's a California state law that was actually passed in June 2018 but doesn't go into effect until New Year's Day, 2020.
So no matter how groggy we wake up after celebrating the night before, CCPA is definitely happening.
On the surface, there seem to be four main goals to the Act:
If you haven't already, then your businesses needs to implement new privacy policies and procedures to ensure the protection of personal information for all your California resident clients. (Click to go straight to "What should your CCPA data privacy policy include")
Before we go any further, let's get some good news out of the way:
Even though the California Consumer Privacy Act has been likened to GDPR, the two are not interchangeable. Organizations that are already on top of their GDPR compliance, will have a much easier time being CCPA-compliant.
So if you've been following our steps to compliance when it comes to GDPR and visitor management, then you've jumped through most of the CCPA hoops already.
However. the terms GDPR and CCPA are not interchangeable...
Source: The National Law Review
So, let's define exactly how and where CCPA may, or may not, affect your business.
The CCPA applies to any "for-profit" organizations that meet any of the following criteria:
So get this: The act of "doing business in California" isn't clearly defined in the CCPA.
It's still unclear as to many points:
However, under tax law, such companies have been found to meet these criteria based on their business or commercial ties to California.
As a result, thousands of businesses—including the ones not physically located in the state of California—could find themselves subject to the CCPA. This is similar in manner to those businesses not based in EU countries yet are still subject to the GDPR.
Note: There is a follow-up to this blog where we compare closely the differences between GDPR and CCPA.
According to the CCPA, California residents have the following rights:
A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the categories of personal information it has collected about that consumer.— CCPA, Section 1798.100. (a)
The CCPA also states that businesses must inform customers before or at the point of collection.
If all these rights listed above are making you nervous, then you can be rest assured that the right visitor management software can help.
Going digital with a cloud-based visitor management system like Proxyclick's can help you manage and maintain your business's visitor data for CCPA audit purposes (similar to how we already do this for companies needing to stay in line with GDPR's level of consent, data minimization, and right to be forgotten).
The CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Therefore, according to CCPA, “personal information” includes categories of information such as:
Once you determine if the CCPA applies to your organization, you can move on to the next step—mapping the customer data you collect.
Doing that requires answering a number of questions:
These are just a few, but gathering the necessary information will help your company build a data privacy policy (DPP).
There are 9 points that should be included in your company's DDP.
Finally, in accordance with the CCPA, the privacy policy must be updated annually.
Any violation of the CCPA is assessed by the California Attorney General.
Intentional violations could result in a penalty of $7,500 per violation, and in the case of non-intentional violations, it could cost a business $2,500 for each violation of the CCPA requirements.
Additionally, CCPA provides consumers with a cause of action to seek damages for violation of privacy laws if their personal information was accessed illegally, stolen, or disclosed as a result of data breaches.
Statutory damages for such cases would be no less than $100 and as much as $750 per consumer per incident.
Many states are following suit, and have started to create their own data privacy regulations.
For example, Massachusetts, Maryland, Washington, D.C, and other U.S. states are already deliberating on passing privacy and data protection laws of their own.
Transparency and trust are always required when data privacy and protection are involved. Now, more than ever, it's time to take the steps necessary to protect the privacy of your customers and visitors alike.
Could these new regulations render data catastrophes—like the great Equifax breach and Facebook's Cambridge Analytica scandal—a thing of the past?
Our team will be following the CCPA's movements, so stay tuned for more content!
***
Disclaimer: The information presented above is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice. You should seek professional legal counsel before taking any action.