What You Need to Know about the California Consumer Privacy Act
CCPA represents the first legislation of its kind to pass in the United States, but it’s certainly not the last.
On the heels of the European Union’s General Data Protection Regulation (GDPR) and the revelation that Facebook and other social media platforms were selling their data, consumers began to demand stronger data privacy protection. However, the U.S. constitution contains no express right to privacy. It’s typically left up to the civil court system to decide on such matters as governed by state law or precedent. When data privacy legislation called the California Consumer Protection Act (CCPA) was introduced last year, it was passed within weeks of its introduction.
The CCPA’s quick passage was widely seen as a compromise with online companies that were eager to prevent a tougher citizen proposal from going onto the ballot. The legislation, which went into effect Jan. 1, grants consumers new rights with respect to the collection of their personal information. The CCPA represents the first legislation of its kind to pass in the U.S., but it’s certainly not the last. In 2019, more than 20 states considered data privacy legislation. California will be an acid test to watch as the legislation takes effect.
Due to its focus on consumer privacy, the CCPA mandates full disclosure from companies regarding the collection of personal information — everything from what details they are keeping to what sources that information is coming from and why they are collecting it.
Under CCPA, California citizens have the right to opt out of having their data/ information sold. Users and customers must be notified from the get-go about their information. They have to acknowledge that their information is being collected, but they can choose not to allow those companies to sell their information to other companies. CCPA goes one step beyond GDPR to not only define privacy rights but to expose the economic value of consumer data.
The “right to be deleted” is another CCPA assurance for consumers, akin to GDPR’s right to be forgotten. Companies aren’t allowed to retaliate against those customers who opt out of allowing their information to be sold by charging them higher fees or rates.
The Logistics of CCPA Compliance
Every department must understand CCPA’s requirements, so manufacturers need to set up some training if they haven’t already. Companies that fall within CCPA’s jurisdiction will need to map all of the information they collect. And for many, they’ll find that certain departments have no understanding of the implications that arise from the information they regularly gather.
As a real-world example, consider that the marketing department most likely stores sales information about customers and prospects in a customer relationship management (CRM) tool to create stronger buying personas. However, marketers are likely unaware that CCPA requires documentation of where that data came from and why it is being used. And in a situation like this, pleading ignorance is no longer a viable defense.
This data is valuable to your company, and that means it is also valuable to others. One of the major aspects of CCPA is that companies must declare the value of the data they are collecting — so if a company plans to sell that data, it must declare its resale value.
Manufacturers must also justify why they possess customer data and to fully map where the information goes, including across their supply chain.
Manufacturers are also responsible for keeping this data safe, which couldchange how vendors are chosen. Organizations will need to analyze the risks that are associated with that vendor by conducting due diligence and then establish controls. They will have to put monitoring in place to ensure their vendors are in compliance with those data controls.
Yes, such laws require new processes and sometimes new people, but it doesn’t herald the death of manufacturers with California customers. Instead, companies can use this mandate to re-examine their partners, supply chain and data collection and storage purposes and methods. This, in turn, has the knock-on effect of stronger data security and greater consumer confidence.
Mark Sangster is the vice president and industry security strategist at eSentire. He has spent significant time researching and speaking to peripheral factors influencing the way that organizations integrate cybersecurity into their day-to-day operations.