In a few short months, California’s new Consumer Privacy Act (CCPA) will start being enforced, so what do you need to have ready? Here are some of the key provisions:
- All institutions will need to provide high levels of transparency as to what information they collect, how it is used, and any third parties it may be transferred to.
- Residents will have the right to request information that you hold on them, as well as information about what is being done with that data and who it is being shared with.
- Former residents have the right to have their information erased if that data is no longer required to be kept by law.
- Institutions will have to have a verification process for customers to prove their identities when requesting access or erasure of their data.
- If an institution sells data, they will need to disclose who they sell to, and will have to place a “Do Not Sell My Personal Information” button on their website to make it easy for residents to object. This will need to be Opt-in if the resident is a child under 16. There is also a prohibition on treating consumers differently if they do not consent to the sale of their data.
Who has to comply?
The CCPA affects all for-profit businesses with $25 million or more in annual revenue. It also applies to any business that holds data on 50,000+ people, households or devices, and any business that derives at least half of its revenue from the sale of personal data. Under those guidelines, there are some institutions for whom this law will not apply, but even for those institutions, they will need to consider that many of their suppliers will have to be compliant with the legislation.
Who does it protect?
As you would expect, this law applies to everyone who is a California resident, and does not apply to anyone who is in the state for temporary reasons. Importantly though, it also protects anyone who is domiciled in California, but who leaves the state for temporary or transitory reasons; receiving education in another state is likely to fall into this category.
How is it enforced?
There are two ways the proposed law can be enforced. The first is by the California Attorney General, who can act based on complaints or in response to a security incident. The second way is that the legislation is creates a private right of action by California residents who have had their rights infringed by a data breach, either individually or as a class action.
When does it come into effect?
As of January 1st, 2020, all affected businesses need to comply, though the legislation also requires that the California Attorney General not take any enforcement actions until six months later, on July 1st, 2020.
There are still important aspects of this law that will need to be clarified before it comes into effect. As an example, if someone is banned from your institution for violence or breaking rules, can they ask for their information to be erased? Issues like these are still being clarified by the California Legislature.
The CCPA has acted as a catalyst, and there is now a push from tech companies to create a new federal privacy law, to prevent state-by-state requirements being put into place. This would also dovetail into some of the issues raised by the EU with regards to privacy. While there is no clear direction yet on what form any federal legislation might take, it is clear that privacy regulation is here to stay.